Red Hat
Aug 29, 2011
by Anil Saldhana
you may have heard of practitioners preaching SSL to mitigate man-in-the-middle attacks. For more information on MITM, read here .



SSL Certificates are issued by a Certificate Authority (CA). There are a large number of CAs around the world and most of the prominent browsers trust a set of CAs by default.



The latest news about a hacker getting SSL certificates issued under the Google name from a Dutch CA, is very alarming.



If the browser trusts a particular CA and that CA has issued a fradulent certificate, then it is very difficult for the browser to figure out the fraud unless they follow OCSP or remove that CA.



Update from Mozilla Firefox:

http://blog.mozilla.com/security/2011/09/02/diginotar-removal-follow-up/




Mitigation in Mozilla Firefox:



http://support.mozilla.com/en-US/kb/deleting-diginotar-ca-cert




Mozilla will be releasing an update to Firefox to further protect you

from this. Until the update is released you can manually delete this

certificate with these steps:



At the top of the Firefox window, click on the Edit menu and select Preferences.



Click on the Advanced panel

Select the Encryption tab

Click View Certificates

In the Certificate Manager window, select the Authorities tab

Scroll down to DigiNotar and select the DigiNotar Root CA

Click Delete or Distrust...

Click OK to confirm the deletion





Apparently DigiNotar Certificate shows up in Internet Explorer too.

Here is Microsoft Advisory .



Google Chrome is covered by its security features .



A Google spokesman provided CNET with this statement: "A Chrome security feature warned the user of the invalid certificate and blocked them from visiting the attacker's site. We're pleased that the security measures in Chrome protected the user and brought this attack to the public's attention. While we investigate, we plan to block any sites whose certificates were signed by DigiNotar."



(Thanks to CNET)



If your favorite bank has a website with the URL starting with https, try to demand Extended Validation Certificates. CAs go through extended audits before issuing EV Certs and the address bar displays a green bar in the browser.





References:


Diginotar and Hackers
Original Post