Rogue Google SSL certificate missed by auditors
Posted on 30 August 2011.
VASCO Data Security International - the owner of DigiNotar, the Dutch Certificate Authority who issued the rogue SSL certificate for *.google.com domains that has allowed attackers to execute MITM attacks against Google users - has finally issued a statement regarding the incident.


"On July 19th 2011, DigiNotar detected an intrusion into its Certificate Authority (CA) infrastructure, which resulted in the fraudulent issuance of public key certificate requests for a number of domains, including Google.com," it explains. "Once it detected the intrusion, DigiNotar has acted in accordance with all relevant rules and procedures. At that time, an external security audit concluded that all fraudulently issued certificates were revoked."

But, "recently, it was discovered that at least one fraudulent certificate had not been revoked at the time. After being notified by Dutch government organization Govcert, DigiNotar took immediate action and revoked the fraudulent certificate."

Saying that no other types of certificates were compromised, the company says that it will temporarily suspending the sale of its SSL and EVSSL certificate offerings, and that it will organize new third-party audits.

Well, let's just hope the won't be using the same auditing firm. I also wonder if the one rogue certificate was all that these auditors missed. F-Secure says that it wasn't - they also missed the evidence of a number of defacements of DigiNotar's website that were executed over the years.

Whether this will appease Mozilla, Google and Microsoft, who have already moved to remove DigiNotar as a trusted root CA from their products, only time will tell.






Spotlight

Almost 1 in 10 Android apps are now malware

Posted on 28 July 2014.  |  Cheetah Mobile Threat Research Labs analyzed trends in mobile viruses for Q1 and Q2 of 2014. Pulling 24.4 million sample files they found that 2.2 million files had viruses. This is a 153% increase from the number of infected files in 2013.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Mon, Jul 28th
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //