aelius Posted December 10, 2013 Report Posted December 10, 2013 Google announced that it detected a French government agency using unauthorized digital certificates for several Google domains to perform man-in-the-middle attacks on a private network. Google security engineer Adam Langley described the incident as a "Serious Security breach", discovered in early December. These bogus certificates were fraudulently signed by the certificate authority of DG Trésor, the French Treasury and Cyber Defense agency known as ANSSI. Quote “In response, we updated Chrome’s certificate revocation metadata immediately to block that intermediate CA, and then alerted ANSSI and other browser vendors. Our actions addressed the immediate problem for our users”Google has immediately updated Chrome’s certificate revocation list to block all dodgy certificates issued by the French authority. ANSSI said that the intermediate CA certificate was used to inspect encrypted traffic with the user's knowledge on a private network with a commercial device i.e. Snooping on its own users’ Internet usage.Last year, a Turkish certificate authority called 'Turktrust' was revealed to have issued two subordinate certificates for the domain gmail.com, and that these certificates had been used to intercept Gmail users’ traffic. NSA is also alleged to have used man-in-the-middle attacks through unauthorized certificates against Google in the past. Google said, "We're now working to bring this extra protection to more users who are not signed in."Source: Fake Google SSL Certificates, Made in France Quote
em Posted December 11, 2013 Report Posted December 11, 2013 Chestia asta mi se pare un rahat. Acum dupa ce ca vad certificatul SSL trebuie sa mai verific si ca nu e "Made in China" sau France? Quote
aelius Posted December 11, 2013 Author Report Posted December 11, 2013 em said: Chestia asta mi se pare un rahat. Acum dupa ce ca vad certificatul SSL trebuie sa mai verific si ca nu e "Made in China" sau France?Asta denota ca statul comite orice ilegalitate pentru interesele sale. Practic accesezi example dot com pe https, certificatul este valid, domeniul example este cunoscut si te autentifici. Nu ai de unde stii ca o organizatie de stat redirecteaza traficul printr-un server local si mapeaza pe domeniu un alt certificat ssl pentru interceptarea de date. (sau ma rog, un certificat intermediar intre cel ce se afla in radacina browserelor si cel al domeniului) Quote