Mozilla addons site targeted in same attack that hit Google The secure webpage hosting addons for Mozilla Firefox was targeted in the same attack that minted a fraudulent authentication credential for Google websites, the maker of the open-source browser said. "DigiNotar informed us that they issued fraudulent certs for addons.mozilla.org in July, and revoked them within a few days of …
I emailed them asking if they had much to say, their response was
"At this moment the large browsers removed the DigiNotar root from their trusted list. This is a temporary measure.
Please read our press release for further details and steps to be taken solve this for our customers."
Somehow I don't think Mozilla.Chrome will be letting them back in for some time. I wonder if their clients will get refunds on their certificates since they don't work with a big chunk of the clients now.
I imagine governments want to read the hotmail / yahoo emails of people they are interested in too, I also doubt that these other services are impossible to intercept (especially given the nature of this attack).
It seems more likely that the other services either don't wish to disclose attacks or just willingly give up information when asked.
So one certificate authority was hacked and didn't say anything to anyone about it until a month later the hack was discovered by an outsider.
The bogus *.google.com SSL certificate was only discovered because someone was using google chrome a google chrome was recently updated to check for such hacks.
What if an attacker was going after bank SSL certificates, or Canadian government SSL certificates, not web browser manufacturer SSLs? Who would detect that? And how many months or years would it take before it was stumbled upon?
And who (other than blackhat hackers) is checking that SSL certificate issuers practice secure measures and have secure systems?
How many governments around the world have been making bogus SSL certificates as a normal bureaucratic process? Western governments and China to conduct espionage, third world governments and China to steal intellectual property and commit other types of fraud.
"In the absence of a full account of mis-issued certificates from DigiNotar, the Mozilla team moved quickly to remove DigiNotar ......"
"Nightingale didn't say how many Mozilla certificates were issued and if they were actively used to intercept the communications of people accessing the address"...
So are all other browser makers now allowed to block access to Mozilla?
Have you ever looked at the list of "trusted" agencies in your browser? The world and its dog can issue certificates.
Given that almost anyone can issue certificates and that it's probably foolish to assume that *none* of the Certificate Authorities are compromised at a deep level by one or more foreign governments, let along a bunch of hackers pushing on the backdoor, I think it's safe to say the browser security based on Certificate Authorities is now completely broken.
"and if they were actively used to intercept the communications of people accessing the address"
So if $black_hat had the mis-issued cert, and could also poison DNS to point users to the wrong server, that communication would go nowhere near Mozilla.
To use a car analogy, if someone clones my number plates, I won't be able to tell you if the cloner (or his customer) has committed any other crimes. Until the summons turns up.
So is Iran behind this? The targets - Yahoo, Tor, Wordpress, Google (in Iran!) and Baladin (Iranian blogging service) - are pretty strong indicators. None of those are financially lucrative targets in themselves, or much good for spammers who aren't targeting Iranians.
Having read about some of the stuff the Iranian government got up to in the last three decades, they seem to be rather a law unto themselves. It's rather worrying that they're now targeting online infrastructure.
I know it is kind of a statement of the obvious, but the bogus Certificates are still only of value for the attackers if there is a possibility to redirect. In other words, they have to either control the network at a macro scale or control where the users are directed from some local method of fraudulent name resolution. DNS control or malware for redirection. Either are required. This exploit is no good alone.
That said, I wonder how many account/password combos got skimmed. No warnings about that? Hmph.
@AC 09:56 GMT, I am with you on this! They would have no idea. Fake login screen...grab the credentials...
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
