World ostracizes firm that issued bogus Google credential

[InfoSec News <alerts () infosecnews org>]

http://www.theregister.co.uk/2011/08/30/fraudulent_google_cert_update/

By Dan Goodin in San Francisco
The Register
30th August 2011

A counterfeit credential authenticating Gmail and other sensitive Google 
services was the result of a network intrusion suffered by DigiNotar, the 
parent company of the Netherlands-based certificate authority said in a press 
release that raised disturbing new questions about security on the internet.

Tuesday's disclosure by Chicago-based Vasco Data Security came as a growing 
roster of companies updated their software products to prevent them from 
trusting certificates issued by DigiNotar. At least one of them cited reports 
that the fraudulent certificate that came to light on Monday was used to spy on 
the electronic communications of people in Iran.

Vasco said in its statement that a July 19 breach of DigiNotar's certificate 
authority system resulted in fraudulent secure sockets layer certificates being 
issued for a “number of domains, including Google.com.” The statement didn't 
specify the names or number of the additional domains, and representatives from 
both Vasco and DigiNotar didn't respond to emails seeking those details. An 
update to Google's Chrome browser suggests the breach may involve as many as 
247 bogus certificates.

“The attack was targeted solely at DigiNotar's certificate authority 
infrastructure for issuing SSL and EVSSL certificates,” the statement read. The 
company has suspended certificate services pending additional security audits 
by third-party firms.

[...]

_____________________________________________________________
Register now for the #HITB2011KUL - Asia's premier
deep-knowledge network security event now in it's 9th year!
http://conference.hitb.org/hitbsecconf2011kul/