other relevant links for this: http://krebsonsecurity.com/2013/01/turkish-govt-enabled-phishers-to-spoof-google/ http://technet.microsoft.com/en-us/security/advisory/2798897
On Thu, Jan 3, 2013 at 4:25 PM, Steven Bellovin <s...@cs.columbia.edu> wrote: > > On Jan 3, 2013, at 3:52 PM, Matthias Leisi <matth...@leisi.net> wrote: > >> On Thu, Jan 3, 2013 at 4:59 AM, Damian Menscher <dam...@google.com> wrote: >> >> >>> While I'm writing, I'll also point out that the Diginotar hack which came >>> up in this discussion as an example of why CAs can't be trusted was >>> discovered due to a feature of Google's Chrome browser when a cert was >>> >> >> Similar to >> http://googleonlinesecurity.blogspot.ch/2013/01/enhancing-digital-certificate-security.html? >> > Thanks; I was just about to post that link to this thread. > > Certificates don't spread virally, and random browsers don't go looking > for whatever interesting certificates they find. They also don't like > certs that say "*.google.com" when the user is trying to go somewhere else; > that web site would be non-functional unless it was trying to impersonate > a Google domain. Taken all together, this sounds to me like deliberate > mischief by someone. In fact, were it not for the facts that the blog > post says that Google learned of this on December 24 and this thread started > on December 14, I'd wonder if there was a connection -- was this the > incident that made Google reassess its threat model? > > Of course, this attack was carried out within the official PKI framework... > > --Steve Bellovin, https://www.cs.columbia.edu/~smb > > > > > > -- Kyle Creyts Information Assurance Professional BSidesDetroit Organizer
