[LINK] Rogue SSL Certs Issued For CIA, MI6, Mossad

Kim Holburn kim at holburn.net
Tue Sep 6 18:53:49 AEST 2011 

Seems this was the Iranians in a bid to tap into encrypted traffic of their own citizens.  The worry is that our western governments can "probably" get any of these kind of certificates they want without hacking!

I do rather like the Dutch Government's quote:
> He advised users who wanted to be certain of secure communication with the government to use pen and paper.



https://www.nytimes.com/2011/09/06/technology/hacking-in-the-netherlands-broadens-in-scope.html?_r=1

> Hacking in the Netherlands Took Aim at Internet Giants
> 
> By THE ASSOCIATED PRESS
> 
> Published: September 5, 2011
> 
> AMSTERDAM (AP) — Attackers who hacked into a Dutch Web security firm have issued hundreds of fraudulent security certificates for intelligence agency Web sites, including the C.I.A., as well as for Internet giants like Google, Microsoft and Twitter, the Dutch government said on Monday.
> 
> Experts say they suspect the hacker — or hackers — operated with the cooperation of the Iranian government, perhaps in attempts to spy on dissidents.
> 
> The latest versions of browsers including Microsoft’s Internet Explorer, Google’s Chrome and Mozilla’s Firefox are now rejecting certificates issued by the firm that was hacked, DigiNotar.
> 
> But in a statement on Monday, the Dutch Justice Ministry published a list of the fraudulent certificates that greatly expands the scope of the July hacking attack that DigiNotar acknowledged only last week. The list also includes certificates that were sent to sites operated by Yahoo, Facebook, Microsoft, Skype, AOL, the Tor Project, WordPress, and by intelligence agencies like Israel’s Mossad and Britain’s MI6.
> 
> DigiNotar is one of many companies that sell the security certificates widely used to authenticate Web sites and guarantee that communications between a user’s browser and a site are secure.
> 
> In theory, a fraudulent certificate can be used to trick a user into visiting a fake version of a Web site, or used to monitor communications with the real sites without users noticing.
> 
> But in order to pass off a fake certificate, a hacker must be able to steer his target’s Internet traffic through a server that he controls. That is something only an Internet service provider, or a government that commands one, can easily do.

....


> Although no users in the Netherlands are known to have been victimized directly, the breach has caused a major headache for the Dutch government, which relied on DigiNotar to authenticate most of its Web sites.
> 
> In a news conference on Saturday, the Dutch justice minister, Piet Hein Donner, said the safety of Web sites — including the country’s social security agency, police and tax authorities — could no longer be guaranteed.
> 
> He advised users who wanted to be certain of secure communication with the government to use pen and paper.

-- 
Kim Holburn
IT Network & Security Consultant
T: +61 2 61402408  M: +61 404072753
mailto:kim at holburn.net  aim://kimholburn
skype://kholburn - PGP Public Key on request 

Sent from my steam driven difference engine

More information about the Link mailing list