DaemonForums  

Go Back   DaemonForums > DaemonForums.org > News

News News regarding BSD and related.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 24th March 2015
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,128
Default Google warns of unauthorized TLS certificates trusted by almost all OSes

From http://arstechnica.com/security/2015...most-all-oses/

Quote:
In the latest security lapse involving the Internet's widely used encryption system, Google said unauthorized digital certificates have been issued for several of its domains and warned misissued credentials may be impersonating other unnamed sites as well.

The bogus transport layer security certificates are trusted by all major operating systems and browsers, although a fall-back mechanism known as public key pinning prevented the Chrome and Firefox browsers from accepting those that vouched for the authenticity of Google properties, Google security engineer Adam Langley wrote in a blog post published Monday. The certificates were issued by Egypt-based MCS Holdings, an intermediate certificate authority that operates under the China Internet Network Information Center (CNNIC). The Chinese domain registrar and certificate authority, in turn, is included in root stores for virtually all OSes and browsers.

The issuance of the unauthorized certificates represents a major breach of rules established by certificate authorities and browser makers. Under no conditions are CAs allowed to issue certificates for domains other than those legitimately held by the customer requesting the credential. In early 2012, critics blasted US-based CA Trustwave for doing much the same thing, and Langley noted an example of a France-based CA that has also run afoul of the policy.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #2   (View Single Post)  
Old 24th March 2015
Oko's Avatar
Oko Oko is offline
Rc.conf Instructor
 
Join Date: May 2008
Location: Kosovo, Serbia
Posts: 1,102
Default

Quote:
Originally Posted by J65nko View Post
This is a good news for U.S. business and a bad news for people who want to buy cheap certificates. Recently we purchased few certificates ($15) from GoDaddy for one of our small projects. The certificates were rejected by all browsers. Next step for us is Verisign and spending few hundred dollars for a certificate. I expect to see more and more of such things.
Reply With Quote
  #3   (View Single Post)  
Old 25th March 2015
gpatrick gpatrick is offline
Spam Deminer
 
Join Date: Nov 2009
Posts: 245
Default

Have you thought of using CAcert.org? Of course those may also be rejected, but if not, they're free.
Reply With Quote
  #4   (View Single Post)  
Old 25th March 2015
scottro's Avatar
scottro scottro is offline
Real Name: Scott Robbins
ISO Quartermaster
 
Join Date: Apr 2008
Location: NYC
Posts: 652
Default

There's also https://www.ssls.com/ for very cheap ones. No idea if they usually get rejected or not though.

If rejected, they're still less than $10.00 USD.
Reply With Quote
  #5   (View Single Post)  
Old 25th March 2015
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,128
Default

There are also Extended Validation Certificates.

Because the CA is supposed to do a more extensive background check, these are more expensive. Don't know if they have a higher acceptance rate . In the browser address bar, the URL mentioned by scottro shows a green lock and the name of the legal company (Namecheap Inc, US) running that website.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Amazon AWS and SSL certificates Oko General software and network 8 18th April 2015 03:58 AM
Security Google warns the operators of thousands of hacked web sites J65nko News 0 19th April 2012 12:24 AM
Other platforms and their OSes John Other OS 12 11th September 2011 03:37 PM
Computer & OSes ninjatux Off-Topic 7 20th October 2008 09:16 PM


All times are GMT. The time now is 12:16 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick