Google Blocks 247 Digital Certificates, But Worries Linger

Mozilla, Microsoft also blocking fraudulent DigiNotar certificates, but security experts say nothing short of an SSL protocol overhaul will help.

Google, in the latest version of its Chrome browser--released on Tuesday--added blacklists for 247 digital certificates. Googles
Chromium update blog
said the changes were made to block bad DigiNotar serial numbers and several intermediaries.
That refers to Dutch digital certificate authority DigiNotar, which
issued fraudulent digital certificates
for dozens of domains, including Googles Gmail. Hackers apparently used the fraudulent certificates to intercept Web traffic coming from Iran, for an unknown period of time.
Googles update is notable because Chrome previously only blocked 10 digital certificates, said Chester Wisniewski, a senior security advisor at Sophos Canada, in a
blog post
.
What is the risk posed by a fraudulent digital certificate? For starters, it makes a browser believe that its on the real version of a site because it trusts that the fake sites SSL encryption is valid. Users on a compromised network could be directed to sites using a fraudulent certificate and mistake them for the legitimate sites, according to a DigiNotar-related
security warning
released by Mozilla. This could deceive them into revealing personal information such as usernames and passwords. It may also deceive users into downloading malware if they believe its coming from a trusted site.
The fraudulently issued digital certificates were not a proof-of-concept exploit. According to Mozilla, we have received reports of these certificates being used in the wild.
Mozilla updated Firefox to version 6.0.1, which blacklists the fraudulent DigiStar certificates. Likewise, a Microsoft
security bulletin
said that as a precautionary measure, Microsoft has removed the DigiNotar root certificate from the Microsoft Certificate Trust List. That list is used by Windows Vista, Windows 7, Windows Server 2008, and Windows Server 2008 R2. Microsoft said that forthcoming updates for Windows XP and Windows Server 2003 would likewise blacklist fraudulent certificates.
The incident has had widespread repercussions for digital certificate users. Notably, its left the
Dutch government scrambling
to reassure residents that a government-issued identity system, which uses DigiNotar digital certificates, hadnt been breached. More than seven million people in the Netherlands use the digital ID system, dubbed DigID, to access government services online.
But many users were spooked after Mozillas Firefox 6.0.1 update warned them that the DigID website certificate was no longer trusted. The error was due to the way that Mozilla coded its blocks. The Dutch government released a statement saying that Mozilla had been alerted, and was working on a fix.
The DigiNotar incident recalls the
hack of certificate authority Comodo
--a solo Iranian claimed credit--earlier this year, resulting in Comodo issuing fraudulent certificates for Google, Skype, and Mozilla websites. Comodo apparently spotted and revoked the credentials before they could be used in attacks. Still, certificate revocation is cumbersome, and can be ineffective because it only mitigates the resulting threat when--or if--users upgrade their operating system and browser.
Speaking earlier this month at the Black Hat conference in Las Vegas, security researcher Moxie Marlinspike noted that the protocol for making secure HTTP requests, known as SSL, was first created by Netscape engineers in the early 1990s. Their efforts can be seen as incredibly heroic, he said. But the protocol hasnt aged well. Accordingly, Marlinspike has
called for an overhaul
of certificate authorities to help prevent attacks against SSL authenticity and infrastructure.
Until that happens, what can be done to mitigate the threat of fraudulent certificates, especially if attackers use them--in the case of DigiNotar, possibly for months or even years--before being detected? We are somewhat struggling with the advice we should give you, said SANS Institute chief research officer Johannes B. Ullrich in a
blog post
. Simply blocking all DigiNotar certificates, for example, would also block legitimate sites. Meanwhile, as noted, certificates can be revoked, but that isnt always fully effective.
Another option is to use the complementary
DNSSecurity Extension
, which provides an alternative means to validate that you are connecting to the correct site--provided that users activate it in their browser, and websites offer it--he said. Finally, new mechanisms of trust also might help. One notable new offering is
Convergence
, which was introduced earlier this month by Marlinspike as a Firefox plug-in. Convergence attempts to crowdsource digital certificate security, by comparing the certificates that different people receive from the same website--rather than by using certificate authorities. But Ullrich said such plug-ins and approaches are new and so far, untested.
The vendors, contractors, and other outside parties with which you do business can create a serious security risk. Heres how to keep this threat in check. Also in the new, all-digital issue of Dark Reading: Why focusing solely on your own companys security ignores the bigger picture.
Download it now
. (Free registration required.)

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Google Blocks 247 Digital Certificates, But Worries Linger