Hackers May Have Nabbed Over 200 SSL Certificates 141
CWmike writes "Hackers may have obtained more than 200 digital certificates from a Dutch company after breaking into its network, including ones for Mozilla, Yahoo and the Tor project — a considerably higher number than DigiNotar has acknowledged earlier this week when it said 'several dozen' certificates had been acquired by attackers. Among the certificates acquired by the attackers in a mid-July hack of DigiNotar, Van de Looy's source said, were ones valid for mozilla.com, yahoo.com and torproject.org, a system that lets people connect to the Web anonymously. Mozilla confirmed that a certificate for its add-on site had been obtained by the DigiNotar attackers. 'DigiNotar informed us that they issued fraudulent certs for addons.mozilla.org in July, and revoked them within a few days of issue,' Johnathan Nightingale, director of Firefox development, said Wednesday. Looy's number is similar to the tally of certificates that Google has blacklisted in Chrome."
Boring (Score:5, Informative)
Re:Boring (Score:4, Informative)
In response to DigiNotar incidences, some people are removing the root CA for DigiNotar from their computers. This way your computer will not trust _anything_ signed by DigiNotar.
With DNSSEC, if the people in charge of your DNS have an incident (hackers, malpractice or otherwise) which changes the "certificate" (for lack of a better word) for your website, you are stuck. There is no "root" certificate that you can remove.
Re:Wait a second... (Score:5, Informative)
...wouldn't the certs be useless without the associated private keys?
No, the government of Iran generated a key and a CSR for *.google.com, had Diginotard sign them (not sure if this was social or technical hack) and then deployed them inline for a MitM attack on the residents of the area their organization controls.
They have the key and the cert. They didn't get Google's key or cert, they have their own.
I wonder how many dissidents have died because of this sloppy CA and the reliance on the CA system.
Re:That's it, fuck CAs (Score:4, Informative)
Couldn't agree more. Links for the lazy: Convergence [convergence.io] and Perspectives [perspectives-project.org].
Enjoy.