If you haven’t heard the news, you should go check out and delete DigiNotar1 CA certificate from your Certificate / Authorities list if you use Firefox, but you should check your browser.
I just read this security bulletin from Firefox, I am glad I did subscribe to it. So the story began with this post, an Iranian reported a suspecting man-in-the-middle attack. It’s around one day old (that help forums doesn’t have time stamp tag), but the valid certificate has been issued since July 10.
Screenshots from the OP’s zip file2:
Almost two months, if no one ever noticed, it could be ever longer.
I gotta quote this, from the center of the homepage1:
DigiNotar®, Internet Trust Provider
As independent Internet Trust Service Provider DigiNotar focuses on ensuring the integrity of information flow, and legal guarantees for all online information exchange.
If you read the post, it sounds scary because the OP claimed Iranians might face deaths because of it if that’s really Iranian government and ISP behind the whole thing. Of course, we will never know. One thing for sure, DigiNotar earns a Wikipedia page and lots of in-bound links (I provides one).
Anyway, it seems anything claims to be secure, well, not so much. You see green bar in the address bar, that might just a comforting happy greenish bar. What you see might not be what you expect.
If you look into your CA list, 99% for 99.999% people probably never heard of them. I am one of them. Authority? my a$$ is more trustable.
Someone might be reading this post as you are reading via your connection…
[1] | (1, 2) http://www.diginotar.com/ is gone and the company is defunct after this incident. |
[2] | http://ompldr.org/vYTQ3OA/gmail_certificate_error_SSL_MITM_ATTACK_BY_IRANIAN_GOVERNMENT.JPG and [#2] http://ompldr.org/vYTQ3OQ/gmail_certificate_error_SSL_MITM_ATTACK_BY_IRANIAN_GOVERNMENT_view.JPG are gone. |
0 comments:
Post a Comment
Note: Only a member of this blog may post a comment.