Forgot your password?
typodupeerror
Security Google Government The Internet

India's National Informatics Centre Forged Google SSL Certificates 107

Posted by timothy
from the who-can-you-trust? dept.
NotInHere (3654617) writes As Google writes on its Online Security Blog, the National Informatics Centre of India (NIC) used its intermediate CA certificate, issued by Indian CCA, to issue several unauthorized certificates for Google domains, allowing it to do Man in the middle attacks. Possible impact however is limited, as, according to Google, the root certificates for the CA were only installed on Windows, which Firefox doesn't use — and for the Chrom{e,ium} browser, the CA for important Google domains is pinned to the Google CA. According to its website, the NIC CA has suspended certificate issuance, and according to Google, its root certificates were revoked by Indian CCA.
This discussion has been archived. No new comments can be posted.

India's National Informatics Centre Forged Google SSL Certificates

Comments Filter:
  • Repercussions? (Score:3, Interesting)

    by Anonymous Coward on Thursday July 10, 2014 @08:50AM (#47423445)

    Will there be any repercussions for this?

    The National Informatics Centre of India did abuse something.
    Will the National Informatics Centre of India be able to continue with such abuses and do this again in the future?
    Or will they lose this ability?

    What will happen now?

    They have shown that they can not be trusted. They must lose the power to do this.

    Pull someones certificates or kill some CA. Someone needs to suffer because of this.

    • by Anonymous Coward on Thursday July 10, 2014 @09:00AM (#47423483)

      They must lose the power to do this.

      No one can be trusted. The system/infrastructure must be designed to take into account untrustworthiness of all parties involved. WoT [wikipedia.org].

      • by Anonymous Coward on Thursday July 10, 2014 @09:22AM (#47423591)

        Alternatives like namecoin and distributed trustless security is the only option that will work in the long term.

        Centralized entities - from corporations to governments - will always be corrupted and used by someone to attempt to obtain an advantage over someone else. Centralized power corrupts.

      • by Anonymous Coward on Thursday July 10, 2014 @09:28AM (#47423637)

        I've always wondered if one could use large botnets to "pre-approve" rogue certificates in WoT models.

        Maybe not for Google certificates which see billions of uses a day, but surely one could "outvote" lesser used certificates with enough hosts.

        • by Cajun Hell (725246) on Thursday July 10, 2014 @12:34PM (#47424945) Homepage Journal

          If you think that might work, then keep learning. The botnets' "vote" only gets counted if someone decides to trust all of them. And if you can arrange that, then you don't need a botnet, you just need one node.

          All that matters is how your fake node (or web of fake nodes) is connected to the victim.

          • by Anonymous Coward on Thursday July 10, 2014 @02:34PM (#47425891)

            Maybe in a PGP style WoT, but in the case of the Firefox WOT plugin [mozilla.org] we have:

            WOT ratings and reviews are powered by a global community of millions of users who rate websites based on their personal experiences. In addition, third-party sources are used to warn you about malicious software and other technical threats that you might encounter.

            You can share your experiences by rating sites yourself and help make the Internet a safer place for everyone.

            Sounds like a botnet using the plugin could have an impact on a site's reputation.

            • by Cajun Hell (725246) on Thursday July 10, 2014 @03:50PM (#47426467) Homepage Journal

              Oops, didn't realize we were talking about something like that.

              That plugin is a kind of neat idea (I approve) but it's very poorly named and doesn't seem to have anything in common with a real "web of trust." I'd probably be madder about the atrocious name if I didn't happen to like the plugin.

              That gives me an idea: I should make a program for X11 users, where the five hundredth and ninth time someone opens a new window, it generates a PDF containing an extravagant statement of the accomplishment. Then I could call the program "X.509 Certificate Authority" just to fuck with everyone.

              I also have an idea for an internet communications protocol which provides the social verification (the "proof" I think he called it) of Metcalf's Internet Teranodes Metric, but I'm trying to think of a concise way to explain that to people.

              What's interesting about my MITM-proof thing is that it was computer-generated. I just had to provide the right seed (the "key" according to the software's docs) to the Pseudorandom Generated Proof engine. If you don't want me to explain how the MITM-proof works, I can just give you the PGP key and you can study the output yourself, in your own Virtual Information Monitor window, or Enhanced Markup Automatic Correlation Searcher if you prefer that approach.

      • Re:Repercussions? (Score:5, Insightful)

        by Z00L00K (682162) on Thursday July 10, 2014 @09:33AM (#47423669) Homepage

        This yet again highlights that the three-party trust system is broken.

        There are ways around it, but there is no great solution - only workarounds.

      • Re:Repercussions? (Score:4, Interesting)

        by INT_QRK (1043164) on Thursday July 10, 2014 @11:00AM (#47424271)
        “Power attracts the corruptible. Suspect any who seek it.” Frank Herbert, Chapterhouse: Dune
    • Re:Repercussions? (Score:0, Interesting)

      by Anonymous Coward on Thursday July 10, 2014 @09:01AM (#47423491)

      India is a very corrupt country.

      I only see this as a good thing because it will reflect on companies that outsource to India and put the spotlight where it needs to be at - why do we trust these people with our customers?

      As someone who has dealt with far too many indian "Customer service representatives" and actually had one attempt to charge my credit card $5000 to get a return flight from Ireland after the company cancelled my plane ticket (I was shanghaied and I live in the USA) I have no intention of dealing with any company in the future that outsources to India.

      I lost 1300 euros that trip, It will never happen again.

      • by Anonymous Coward on Thursday July 10, 2014 @09:36AM (#47423685)

        If you do business with an Indian you are an accomplice, not a victim.

      • by INT_QRK (1043164) on Thursday July 10, 2014 @11:04AM (#47424309)
        The bargain lies in the relatively low cost of relatively skilled labor. Other considerations, where there might be awareness, are secondary, or less.
      • by Anonymous Coward on Thursday July 10, 2014 @11:42AM (#47424579)

        Wow is this not racism. I had similar experience dealing with Irish cs representatives

      • by sjames (1099) on Thursday July 10, 2014 @03:06PM (#47426131) Homepage

        Never do business with anyone who outsources customer service at all. The 'representative' only has the power to read from the flip chart. They absolutely do not have the authority to fix the problem and they do not know who does or how to contact them.

        • by shaitand (626655) on Thursday July 10, 2014 @06:36PM (#47427801) Journal
          What makes you think it's any different with internal customer service at any sizable company?
        • by david_thornley (598059) on Friday July 11, 2014 @11:16AM (#47431441)

          Outsourced customer service is generally paid by the call. This means that the ideal call is a short one where the customer is satisfied enough not to raise a ruckus, but will run into problems and have to call back. Even if there is any way to pass feedback to the software vendor, it isn't in the customer service's interest to provide it, as clarifying a confusing thing in the software could lead to serious loss of revenue. That also means that the software vendor doesn't have the information to either fix things or even figure out what team is making confusing things.

          This is also effectively true when a badly run software company runs its own customer service. A well-run company, however, can get useful information out of customer service, and has the ability to actually solve problems. It has incentive to fix difficult problems and data to find them. It's more expensive up front, but if you can reduce the number of calls, by reducing the number of customers with problems, you can save money in the long run.

          If a company actually cares, it can also use excellent customer service to keep customers. I still have warm feelings for Apple based on a customer service call several years ago, in which I was quickly talking to somebody who understood what I was talking about, proposed a solution that worked, and provided useful supplementary information. You don't get that from outsourced service from Bangladesh.

    • by IamTheRealMike (537420) <mike@plan99.net> on Thursday July 10, 2014 @02:00PM (#47425605) Homepage

      They have shown that they can not be trusted. They must lose the power to do this.

      Pull someones certificates or kill some CA. Someone needs to suffer because of this.

      What happens now is that there's an investigation. Depending on the outcome the CA may be revoked for good, or merely forced to reissue lots of certificates. The deciding factor is the reason for the screwup - for instance they may have got hacked, rather than been actively corrupt. In that case Microsoft will have to decide if they have patched things up enough to continue as part of their root store program or whether to pull the plug. I doubt many people have certs issued by this CA so the damage would be relatively minimal.

      Unfortunately you can't just kill any CA that screws up. For one, if the CA was widely used it'd be disrupted. For another, nothing is unhackable, especially when you get the NSA involved. Expecting CA's to be able to reliably fight off professional hackers from dozens of governments and never ever fail is likely an impossible standard to ever meet.

      Hard decisions ahead for browser and OS makers for sure ...

      • by BitZtream (692029) on Thursday July 10, 2014 @03:45PM (#47426435)

        Expecting CA's to be able to reliably fight off professional hackers from dozens of governments and never ever fail is likely an impossible standard to ever meet.

        Yet that is exactly what they are supposed to do. Its not even really that hard.

        Every CA hack to date has been preventable as was the fault of the CA simply not putting the required effort into doing their job or being flat out malicious. Stop trying to make it out like its an uber hard job, its not.

      • by shaitand (626655) on Thursday July 10, 2014 @06:42PM (#47427839) Journal
        Seriously? How hard is it to put the actual root certificate on an offline internal network? You have to actually have a human being move a thumb drive between two machines to generate a cert. OMG, the horror! It's india for god sake, don't tell me they can't afford all that manual labor.
    • by Anonymous Coward on Thursday July 10, 2014 @03:17PM (#47426219)

      Will there be any repercussions for this?

      The National Informatics Centre of India did abuse something. Will the National Informatics Centre of India be able to continue with such abuses and do this again in the future? Or will they lose this ability?

      What will happen now?

      They have shown that they can not be trusted. They must lose the power to do this.

      Pull someones certificates or kill some CA. Someone needs to suffer because of this.

      From TFS:

      According to its website, the NIC CA has suspended certificate issuance, and according to Google, its root certificates were revoked by Indian CCA.

      Does that answer your questions?

  • by Required Snark (1702878) on Thursday July 10, 2014 @08:59AM (#47423479)
    The NSA?
  • by Anonymous Coward on Thursday July 10, 2014 @09:03AM (#47423503)

    Good old Indian "ethics".

  • by Himmy32 (650060) on Thursday July 10, 2014 @09:04AM (#47423505)
    The whole point of issuing certs is to be a trusted third party. No one is going accept a cert from them again. They should know better.
    • by currently_awake (1248758) on Thursday July 10, 2014 @09:10AM (#47423541)
      So how much money or jail time for Fraud and Impersonation? Oh right, it's ok when a government does it. And you can't complain to Uncle Sam as that would disrupt your business in that country.
      • Re:All about trust (Score:5, Insightful)

        by gstoddart (321705) on Thursday July 10, 2014 @09:18AM (#47423573) Homepage

        So how much money or jail time for Fraud and Impersonation? Oh right, it's ok when a government does it. And you can't complain to Uncle Sam as that would disrupt your business in that country.

        And, really, if the US is saying it's their right to tap into anything they want to ... how is it different when India does it?

        India already forced BlackBerry to allow them to access BBM and the like.

        Uncle Sam is causing as much disruption to US businesses abroad as anything, because people are realizing that American companies are effectively just extensions of the US spy apparatus -- because the PATRIOT act means they can demand whatever data they have, and you more or less have to assume they're doing it and being prevented from telling you.

        Which means Indians are already being spied on by (at least) their own government AND the USA.

        Do you expect there to be sympathy for an American company when a foreign government taps into them? Because I hear an awful lot of people saying they think it's perfectly OK when the US does it to foreigners.

        • by Anonymous Coward on Thursday July 10, 2014 @10:24AM (#47424007)

          Everyone is spying on everyone else, and most nations are spying on their own citizens. This does nothing to excuse the NSA violating the terms and limits of their authority, but you have to be an idiot to think that it's only the USA and USSR (ok, idiot with a bad grasp of recent history) involved in spying.

        • by cyberchondriac (456626) on Thursday July 10, 2014 @10:24AM (#47424009) Journal
          Yes actually, I do expect there to be some sympathy. Because everyone bitches when the NSA does it. Every other country does it's sharing of spying too, let's not be naive. Wrong is wrong, no matter who does it. This was clearly wrong, they targeted another country's corporation, and one that has a huge impact on the Internet, worldwide.
          It's only fair that you either get to protest when every and any country pulls something like this, or not at all.
          • by gstoddart (321705) on Thursday July 10, 2014 @10:39AM (#47424117) Homepage

            Yes actually, I do expect there to be some sympathy. Because everyone bitches when the NSA does it.

            I don't disagree with you, but the hypocrisy of "but that's the job of the NSA" that I hear when someone points this out is maddening.

            This was clearly wrong, they targeted another country's corporation, and one that has a huge impact on the Internet, worldwide.

            And one which was doing business in their country. Like it or not, Google in India is subject to India's laws.

            How many corporations and people in foreign countries have been targeted by the NSA? How many people think that is wrong?

            There are an alarming number of people who basically say it's OK when the NSA does it, because that's their mandate.

            It's only fair that you either get to protest when every and any country pulls something like this, or not at all.

            Oh, I agree, and I disagree with the practice in general. But, as I said, it's appalling just how many Americans keep saying "it's fine when we do it, it's wrong when you do it".

            I'm just reminding people of the apparent double standard which gets applied here and in the news.

            Me, I think for a country to decide that their laws/desires trumps the rights of people in other countries, you lose some credibility when someone does the exact same thing to you.

            • by cyberchondriac (456626) on Thursday July 10, 2014 @11:38AM (#47424555) Journal
              Honestly, I don't think I've heard but a handful of americans saying that it's fine when we do it.. Pretty much everyone is up in arms over the NSA. What I hear people say - if unapologetically- is that the NSA isn't the only one doing it. And you'll probably never hear much about what the KGB does (I know that's more an equivalent to the CIA than the NSA but I'm not sure if Russia sets up their organizations like the US does).

              Still, Google may have a presence in India but it's not an Indian company, per se.

              At this rate, it seems like someday in the future we may have to deal with possibility that being on the Internet is like being a celebrity: no expectation of privacy.
            • by Anonymous Coward on Thursday July 10, 2014 @03:20PM (#47426235)

              I don't disagree with you, but the hypocrisy of "but that's the job of the NSA" that I hear when someone points this out is maddening.

              There are an alarming number of people who basically say it's OK when the NSA does it, because that's their mandate.

              If I were to play D&D, I would not be surprised if the NE rogue tries to steal some treasure - you expect it and try to monitor it. I don't expect the Father Shamus O'Healin the LG Cleric to bludgeon me from behind. Unless he's Catholic, but that's different. Hey-O!

              India Spy agency doing Spy stuff, bad, but unsurprising. India Weights and MEasures group putting a thumb on the scale, bad, very surprising.

      • by Himmy32 (650060) on Thursday July 10, 2014 @09:21AM (#47423589)
        Let's be honest the outrage in India over this is going to be small. The current furor is over people getting raped and hanged while defecating in the open. The US doesn't really have a leg to stand on with the Snowden revelations and espionage in Germany. Nor do too many people want them to be the Internet World Police. It's a complex world with every country playing the spying game. No one is really shocked when someone else gets caught.

        The only thing that will come out of this is lack of trust for some Indian certs, and hopefully some awareness that these attacks are happening.
      • Re:All about trust (Score:5, Insightful)

        by OhPlz (168413) on Thursday July 10, 2014 @10:15AM (#47423949)

        As a US resident, I'd be perfectly content to see the heads of various rights-invading federal agencies put away in prison.

        So no, it's not ok. Not for the US, not for India.

    • by Anonymous Coward on Thursday July 10, 2014 @09:31AM (#47423659)

      No one is going accept a cert from them again.

      Yeah. Just like no one trusts Comodo CA. Oh wait.

    • by Anonymous Coward on Thursday July 10, 2014 @10:23AM (#47424005)

      Remember DigiNotar ?
      They went bankrupt because nobody trusted them anymore.

    • by cellocgw (617879) <cellocgw.gmail@com> on Thursday July 10, 2014 @12:53PM (#47425083) Journal

      The whole point of issuing certs is to be a trusted third party. No one is going accept a cert from them again.

      Sounds like what we need is a cert-issuing protocol based on Bitcoin security. Everyone (plus or minus epsilon) trusts that Bitcoins can't be forged.

  • by Assmasher (456699) on Thursday July 10, 2014 @09:10AM (#47423543) Journal

    I've never had a problem with it until the past few years when it has been ritually abused by idiots who can't be bothered to create shill accounts (God knows there's enough of those...) to spout hatred and ugliness.

    I'm no sub-continent apologist by any means, but all this anti-India crap is just ridiculous.

  • by bazmail (764941) on Thursday July 10, 2014 @09:13AM (#47423551)
    So SSL is nothing more than an honor system? Fuck that. Security , such as it was, is utterly fucked now that any tin-pot government quango can start intercepting.
    • by bunratty (545641) on Thursday July 10, 2014 @09:19AM (#47423581)
      Everything is nothing more than an honor system. You trust the operating system to accept only the password you chose when someone tries to log in to your account. You trust the compiler not to secretly install backdoors into software. You trust the hardware manufacturers not to implement secret knocks to allow backdoor access. You trust your browser to handle SSL certificates appropriately. If you don't like it, you can build your own hardware and software from scratch and feel safe in the knowledge that it's secure. That is, if you trust that you didn't make a mistake.
      • by Anonymous Coward on Thursday July 10, 2014 @03:25PM (#47426275)

        Everything is nothing more than an honor system. You trust the operating system to accept only the password you chose when someone tries to log in to your account. You trust the compiler not to secretly install backdoors into software. You trust the hardware manufacturers not to implement secret knocks to allow backdoor access. You trust your browser to handle SSL certificates appropriately. If you don't like it, you can build your own hardware and software from scratch and feel safe in the knowledge that it's secure. That is, if you trust that you didn't make a mistake.

        You have to write your own chips, logic and firmware too. More practically, is there an easy way to mass remove all the certs from the DB so you can enter a few you do trust? i.e. anything needed to buy on amazon, newegg and your webmail provider of choice...

      • by chihowa (366380) * on Thursday July 10, 2014 @03:30PM (#47426317)

        That's a cop-out, though. Yes, there is always an element of trust in whatever you do. That's unavoidable, though it's smart to minimize the amount of trust you must put in others. Taken to the extreme it's ludicrous, as you've pointed out. But, that doesn't mean that there's no merit in limiting the amount of trust you put in third parties. Just because you can't completely trust your OS or compiler, doesn't mean that you should throw the entire concept of limiting trust out the window. It's dishonest to suggest that the risk is the same between trusting (your compiler), (your compiler + your OS), and (your compiler + your OS + the CA system).

        The CA system is truly an honor system by design. It requires you to put your complete trust in a large, and growing, list of opaque and unfamiliar third parties and the decision to trust them is made by others though an opaque and unaccountable process. It's putatively a "security system", but is insecure by design. It depends entirely on unaccountable, secretive, and self-selected "authorities" to determine who should trust who.

        Look at your OS's list of trusted CAs sometime. Any of these organizations, or anyone delegated by any single one of them, are implicitly trusted by your system. Completely trusting Microsoft, Apple, or various Linux devs is naive, but completely trusting everyone in the root CA list is absolutely insane!

    • by Desler (1608317) on Thursday July 10, 2014 @09:24AM (#47423605)

      You're just figuring this out? Have you been living under a rock for the past ~20 years or are you just incredibly naive?

    • So SSL is nothing more than an honor system?

      This is nothing new.

      And, let's face it, I bet the NSA et al have demanded more private keys be handed over to them than you'll ever know about. Where's your outrage over that?

      The five eyes all use each other to spy on their own (and others) citizens, and share the information among themselves. Where's your outrage over that?

      I see this as a symptom of a greater problem, but no different from what a bunch of other countries are already doing.

      Until someone creates a new encryption system which isn't susceptible to MITM attacks, this will always be the case. And governments will always unashamedly insist on spying on their people, and anybody else they can find.

      • by sexconker (1179573) on Thursday July 10, 2014 @12:39PM (#47424985)

        Until someone creates a new encryption system which isn't susceptible to MITM attacks

        Uh, some of the earliest encryption algorithms ever created are immune to MITM.
        The core of the MITM issue is that anything sent over it could be intercepted or spoofed.
        So ALL your communication must be encrypted.

        All you need a pre-shared key to initiate the connection. Whether that's a password or a certificate or something else makes no difference. What matters is the pre-sharing. You have to fucking know and trust the source of that key. If you're just using a list of certs issued by people you don't know and trusted on your behalf by other people you don't know, then your shit isn't secure.

        In an ideal world I'd walk into a bank branch, verify that it is my fucking bank, ask them for a certificate for web access, they'd generate a unique one for me, and I'd copy it to my devices and trust it. I would also give them my own unique certificate, though a username and password is essentially a weaker version of that.

        • by Anonymous Coward on Thursday July 10, 2014 @01:22PM (#47425323)

          Until someone creates a new encryption system which isn't susceptible to MITM attacks

          Uh, some of the earliest encryption algorithms ever created are immune to MITM.

          Name one. Just one. Robust MITM protection did not even start until Mr. Diffie and Mr. Helman were introduced to each other.

        • Uh, some of the earliest encryption algorithms ever created are immune to MITM.

          Yes, and they were built for communications between two parties, who knew they'd be communicating, and could exchange keys in advance.

          Now, tell me one which is applicable to the problem of a large number of potential users, all unknown up front, and coming from random devices.

          The problem with modern public key encryption (and its strength as well) is that you don't need to pre-exchange keys. But this opens you up to MITM attacks.

          Key exchange is hard. Managing all of those keys is really hard. You think a bank can maintain a list (and keep it secure) of the private keys of every individual customer?

          The thing which holds the keys (and every vendor you deal with would have a separate copy) then becomes the next attack vector.

          I think the generalized problem of establishing, trust, and a secure exchange of keys, is far harder and more complex in a world where you deal with lots of entities, who deal with lots of entities. This isn't things your average person are going to be willing to spend hours doing.

    • by gweihir (88907) on Thursday July 10, 2014 @09:45AM (#47423743)

      Anybody that looked into the SSL certificate system has known that for a very long time. Quite a few people used to use self-signed certificates, as as least there somebody that bothered to find out could be sure it was secure.

      I think the fundamental brokeness of the SSL certificate system is because of deep naivety with regard to the trustworthiness of governments and because of active sabotage of by said governments way back. I hope at least that issue is fixed after Snowden. Governments are even more evil than any of their members and cannot be trusted for any purpose.

      • by Rich0 (548339) on Thursday July 10, 2014 @10:32AM (#47424065) Homepage

        SSL goes beyond the naivety of government trust. It also suffers from what amounts to a global namespace/trust/etc issue.

        Any CA can issue a certificate for any domain, a domain generally can only have one certificate, and the trusted CA list is managed by the browser, not the user.

        So, if you trust your government (naievely), and distrust everybody else, it won't work. Your browser will constantly be wanting to add CAs you don't trust, and might not include ones you trust. Then, if you drop a bunch of CAs then a bunch of websites won't work. A website doesn't have the option of getting certificates from 14 different CAs so as to be trusted by everybody - they have to pick one and everybody has to trust them.

        So, users are basically forced to accept CAs they've never heard of, and the whole system is a mess as a result.

    • There are two TLS extensions that fix these problems - one is including your certificate fingerprint in DNS and the other is multiple signatures. Both have good standards and the industry is painfully slow to adopt them.

    • by Anonymous Coward on Thursday July 10, 2014 @11:28AM (#47424475)

      SSL should be adopted to be an optional configuration of DNS:

      where if i own a domain i decree what are valid webservers, mail servers, etc.

      i want it so that can have DNS state what certificate authority is trustworthy for my domain. Oh, my OWN Self-Signed SSL host is listed as trustworthy for MY DOMANI? GREAT, don't spam me with a warning popup now. thanks. No paying the SSL man, no worry about a Man in the middle.

      of course, we need still something akin to a list of trusted root DNS certificates (for root DNS servers), and of course Secure DNS (DNSSEC) setup on my hosts and root DNS-- to prevent MITM--but that seems manageable.

      I feel there could be an from for a dns option for web of trust, too. if someone wants to pay money to advertise themselves as super-secure or something.

    • x509 is as strong as the weakest signing authority, and there are many many signing authorities now.

      It's a shame that browsers have such freakouts over self signed certs, because there is really little difference between them and officially signed certs. IMHO SSH did a better job of this by simply having you inspect the certs the first time you log on to a site and storing the result, only freaking out if the cert changes. It eliminates the complex chain of trust that in the end comes down to just trusting people you don't know anyway and hoping that none of the thousands of people involved are corruptible or incompetent.
  • by Anonymous Coward on Thursday July 10, 2014 @10:47AM (#47424181)

    And these are our "friends"? How much IT and other activities have we sent off to China and India? And what do we, our government and and our corporations get in return? Intellectual theft, data theft, subversion. And the we spy on our supposed allies.

  • by Anonymous Coward on Thursday July 10, 2014 @11:38AM (#47424565)

    It sounds like we need the ability to limit the scope of certificate authorities to signing for only certain domains.

    While it isn't a perfect solution to the broken CA model, it would prevent cases like this one and limit the damage that could be done.

  • by dwheeler (321049) on Thursday July 10, 2014 @12:23PM (#47424855) Homepage Journal

    This is a big deal. If you use a browser on Windows that does NOT counter this, such as Internet Explorer, then you ARE vulnerable. I imagine Microsoft will come out with a special-purpose patch, but still, this is a pretty nasty issue.

    Untrustworthy CAs have been a problem for a long time; we need mechanisms to address them. The terrible cert revocation system makes it even worse; you can't be sure that the certs are checked in many cases. Chrome's CRLSets are not the answer; they are not even the beginning of an answer. We need to fix the whole revocation system [dwheeler.com]. Sadly, there hasn't been enough work or enough urgency on these problems; maybe this will light a fire under those efforts. I doubt it, but it's worth hoping.

  • by Anonymous Coward on Thursday July 10, 2014 @01:04PM (#47425175)

    The United States Department of Commerce has been doing this for years.

  • by Anonymous Coward on Thursday July 10, 2014 @01:06PM (#47425183)

    ...to sanitation as to the myriad of silly, pissing contest undertakings they seem to have a penchant for, India would be a better, less stinky place.

  • by Anonymous Coward on Thursday July 10, 2014 @01:38PM (#47425441)

    This is why I do not trust any CA's included in any browser, instead preferring to validate those few sites I actually use HTTPS with. The other advantage is that none of the god damn advertisers can use an https connection to pass on malware since the certs aren't trusted by me. Blocks em right at the source.

    captcha=despised

  • by Antibozo (410516) on Thursday July 10, 2014 @03:58PM (#47426547) Homepage

    I think intermediate CA certificates issued to certificate vendors, ISPs, governments, should all have name constraints so that they can be used to sign only certificates for an appropriate part of the namespace.

    http://tools.ietf.org/html/rfc... [ietf.org]

  • by DERoss (1919496) on Thursday July 10, 2014 @06:25PM (#47427739)

    This is not a problem with Firefox, SeaMonkey, or other Mozilla-based applications. They use a certificate database separate from Microsoft's, a database that does not contain the certificate used in the forgery.

    The certification authority at fault (NIC) has an open request to have its root certificate added to Mozilla's database. However, NIC has failed to respond to requests for further information, requested over a year ago by the Mozilla person who is in charge of the process of approving certificates. Furthermore, Mozilla persons -- both staff and users -- are aware of NIC's problem; some have suggested that NIC's request be rejected and NIC be permanently banned from the database.

    To see the discussion, see https://bugzilla.mozilla.org/s... [mozilla.org].

    Some certification authorities and some of their subscribers complain that Mozilla takes too long to approve root certificates and then to add those certificates to Mozilla's database. At least in this case, delay served to protect users. The delays are significantly caused by Mozilla's requirement for independent audit reports and for a period of public review and comment on each request. Hooray for Mozilla!!

HEAD CRASH!! FILES LOST!! Details at 11.

Working...