ID: IRCNE2011081235
Date: 2011-08-30
According to “ComputerWorld”, hackers have obtained a digital certificate good for any Google website from a Dutch certificate provider. Criminals could use the certificate to conduct "man-in-the-middle" attacks targeting users of Gmail, Google's search engine or any other service operated by Google.
"[Attackers] could poison DNS, present their site with the fake cert and bingo, they have the user's credentials," said Andrew Storms, director of security operations at nCircle Security.
Man-in-the-middle attacks could also be launched via spam messages with links leading to a site posing as, say, the real Gmail. If recipients surfed to that link, their account login username and password could be hijacked.
Details of the certificate were posted on Pastebin.com last Saturday. Pastebin.com is a public site where developers -- including hackers -- often post source code samples.
According to Schouwenberg, a researcher at Kaspersky Lab, the SSL (secure socket layer) certificate is valid, and was issued by DigiNotar, a Dutch certificate authority.
Security researcher and Tor developer Jacob Applebaum confirmed that the certificate was valid, as did noted SSL researcher Moxie Marlinspike on Twitter. "Yep, just verified the signature, that pastebin *.google.com certificate is real," said Marlinspike. Because the certificate is valid, a browser would not display a warning message if its user went to a website signed with the certificate.
It's unclear whether the certificate was obtained because of a lack of oversight by DigiNotar or through a breach of the company's certificate issuing website. Schouwenberg urged the company to provide more information as soon as possible. "Given their ties to the government and financial sectors it's extremely important we find out the scope of the breach as quickly as possible," Schouwenberg said.
The situation was reminiscent of a breach last March, when a hacker obtained certificates for some of the Web's biggest sites, including Google and Gmail, Microsoft, Skype and Yahoo. In that time, browser makers, including Google, Microsoft and Mozilla, rushed out updates that added the stolen certificates to their applications' blacklists.
The google.com certificate was issued July 10, but was not revoked -- the first step in blocking its use -- until today at 1 p.m. EDT.
- 2