Hackers have gained access to and made publicly available a digital SSL Certificate for any Google website.
This means that anyone with this certificate could perform a "man-in-the-middle" attack to target Gmail users, Google Plus users, or any other users using Google's online services.
If a hacker is going to steal a certificate, this is definitely the one to get since its considered a wildcard certificate - good for any .Google.com domain. All a hacker has to do is present a fake web site which looks like Google, by poising of DNS or other means, and then present the stolen certificate. Because the certificate is legitimate for any Google.com domain the users would have no warning at all that anything is amiss. Then the attacker could easily steal your login credentials gaining access to all of your Google services.
This specific certificate stolen was issued by DigiNotar, a Dutch-based certificate authority (CA). It's not known if DigiNotar was hacked or if the certificate was stolen by other means.
"The certificate authority system was created decades ago in an era when the biggest on-line security concern was thought to be protecting users from having their credit card numbers intercepted by petty criminals," said the Electronic Frontier Foundation a digital rights group based in the United States. "Today internet users rely on this system to protect their privacy against nation-states. We doubt it can bear this burden."
There has already been reports of Iranian web users being attacked by using the stolen certificate but Google Chrome was already updated to thwart the attack. Google has also already revoked the certificate so that it no longer works.
Google spoke in a statement yesterday that they were "pleased that the security measures in Chrome protected the user and brought this attack to the public's attention. While we investigate, we plan to block any sites whose certificates were signed by DigiNotar."
This means that anyone with this certificate could perform a "man-in-the-middle" attack to target Gmail users, Google Plus users, or any other users using Google's online services.
If a hacker is going to steal a certificate, this is definitely the one to get since its considered a wildcard certificate - good for any .Google.com domain. All a hacker has to do is present a fake web site which looks like Google, by poising of DNS or other means, and then present the stolen certificate. Because the certificate is legitimate for any Google.com domain the users would have no warning at all that anything is amiss. Then the attacker could easily steal your login credentials gaining access to all of your Google services.
This specific certificate stolen was issued by DigiNotar, a Dutch-based certificate authority (CA). It's not known if DigiNotar was hacked or if the certificate was stolen by other means.
"The certificate authority system was created decades ago in an era when the biggest on-line security concern was thought to be protecting users from having their credit card numbers intercepted by petty criminals," said the Electronic Frontier Foundation a digital rights group based in the United States. "Today internet users rely on this system to protect their privacy against nation-states. We doubt it can bear this burden."
There has already been reports of Iranian web users being attacked by using the stolen certificate but Google Chrome was already updated to thwart the attack. Google has also already revoked the certificate so that it no longer works.
Google spoke in a statement yesterday that they were "pleased that the security measures in Chrome protected the user and brought this attack to the public's attention. While we investigate, we plan to block any sites whose certificates were signed by DigiNotar."
No comments:
Post a Comment