Recently, we have seen false SSL/TLS certificate issued by DigiNotar causing trouble to a lot of people. The Tor project's blog describes it at length. Details of such vulnerabilities are detailed here. Firefox has been fast in responding to this. They have released an update which basically prevents its users from becoming a victim.
2 comments:
My Firefox 6.0.2 installation is compromised and I can't believe it is only me but I only see reference to DigiNotar.
There are 10 certificates in my Firefox Certificate Manager that I have not added and I have tried to delete repeatedly. They purport to be issues by "UTN USERFirst Hardware Root CA, "http://www.usertrust.com".
They are for the following domains
addons.mozilla.com
kuix.de
login.live.com
login.skype.com
login.yahoo.com (three certs)
mail.google.com
www.google.com
I am a qualified network security engineer (CCSP) with 10 years experience. I my opinion this represents an immediate threat to anyone trying to log on to domains above as they are susceptible to a man in the middle attack and compromise of their privacy. In the Middle East this could be life threatening. In the medium term this represents a very serious threat to e-commerce. Other browsers Internet Explorer 9, Chrome V14... show the certificates disabled (worryingly I can't seem to manage the certificates on Safari!).
I am posting this to raise awareness
You are wrong. These certificates are not trusted. They are added purportedly to mitigate the threat.
Post a Comment