Practical Technology

for practical people.

Fake SSL certificates pirate Web sites

There’s never much you could really trust in computer security, but you could usually put your faith in a Hypertext Transfer Protocol Secure (HTTPS) connection being secure. The combination of the Web’s HTTP and security provided by the Transport Layer Security (TLS) or Secure Sockets Layer (SSL) protocols was a gold standard of Internet security. Oh well, it was nice while it lasted. Now we need to be wary of those as well thanks to DigiNotar, a Dutch Certificate Authority (CA), being cracked and then issuing fake SSL certificates.

Here’s how this newest network security fiasco came about. DigiNotar was cracked on August 28th by a Farsi speaking cracker, probably from Iran. Once in, he was able to issue public key certificates for numerous legitimate sites, such as Google and Microsoft to various malicious ISPs.

So, what did that mean for users? Say you were in Tehran and you wanted to check your Gmail account. If you log into your account, and your ISP has been corrupted or is in on the SSL certificate fraud, it would look like you have a normal secure connection to Gmail. Wrong.

More >

Comments are closed.