Fraudulent *.google.com certificate issued

Posted Sep 1, 2011 20:35 UTC (Thu) by Comet (subscriber, #11646)
In reply to: Fraudulent *.google.com certificate issued by nix
Parent article: Fraudulent *.google.com certificate issued

The only public evidence I've seen for the multiple breaches claim is screenshots showing that a CMS let people create pages with new names and those pages would be served up, accompanied by hyperbole.

Stupid, but the screenshots were also showing plain text, so there's also a slim chance that there wasn't even a cookie-stealing attack made possible by this. Just bragging rights in getting plaintext up under an available name of your choice.

Stupid CMS for some web content is a long way from breach of the signing systems. If your news source is a company which sells security services, then hyperbolic claims on their part in talking up the implications of what they found is to be expected.

I'd hope that technical decisions about trust are based on more than panicked responses by non-technical decision makers to hyperbole they take at face value because they don't understand the issues.

So I'm assuming that there's yet more to this story that hasn't come out yet.

Fraudulent *.google.com certificate issued

Posted Sep 6, 2011 19:52 UTC (Tue) by Comet (subscriber, #11646) [Link] (1 responses)

Okay, we now have multiple breaches evidence (but not the "over years" part):

https://blog.torproject.org/blog/diginotar-damage-disclosure

Excuse me while I cry into a drink.

Fraudulent *.google.com certificate issued

Posted Sep 6, 2011 20:38 UTC (Tue) by nix (subscriber, #2304) [Link]

Um, those earlier breaches that the Tor post points to were apparently done in *2009*. That would be, well, years ago.