[Local-Maine-Schools] Danger from compromise of digital certificate authority, Apple unpatched

Tue Sep 6 02:32:13 UTC 2011

This article on the latest massive digital certificate mess is scary. 
Even worse is the apparent risk for a number of browsers UNLESS THEY ARE 
PATCHED, and the difficulty of fixing some for which patches are 
unavailable (e.g. Safari and OS/X itself).

(It isn't clear what the author's assertion that the latest Firefox is 
Version 6.0.1, when Mozilla says it is 4.)

-----------------------------------------------------------------------
SSL certificate debacle includes CIA, MI6, Mossad and Tor
Chester Wisniewski
Sophos
September 5, 2011
http://nakedsecurity.sophos.com/2011/09/05/ssl-certificate-debacle-includes-cia-mi6-mossad-and-tor/

Last week I wrote about the compromise of digital certificate authority 
DigiNotar. While the idea of over 250 false certificates being issued 
was scary, the number has grown to 531, including what could be 
intermediate signing certificates.

This is really bad news. As DigiNotar is a "root" certificate, they can 
assign authority to intermediaries to sign and validate certificates on 
their behalf.

It appears the attackers signed 186 certificates that could have been 
intermediate certificates. These certificates masqueraded as well-known 
certificate authorities like Thawte, Verisign, Comodo and Equifax.

The expanded list of domains for which fraudulent certificates were 
issued includes Facebook, Google, Microsoft, Yahoo!, Tor, Skype, Mossad, 
CIA, MI6, LogMeIn, Twitter, Mozilla, AOL and WordPress. A complete list 
can be downloaded from the Tor website.

The attackers also issued themselves certificates for *.*.com and 
*.*.org. I am not sure if a multi-wildcard certificate like this is 
valid, but if so it could allow them to impersonate anything.

According to the blog post on the Tor project's website, they also left 
a message in Farsi. Loosely translated, it reads "great cracker, I will 
crack all encryption, i hate/break your head."

This incident makes me feel more justified than ever in my distrust of 
the certificate system. While Mozilla, Google and others have been quick 
to permanently remove DigiNotar as a trusted authority, in this case it 
is too little, too late.

Currently computer users of IE and Safari on Windows 
7/Vista/2008/2008R2, or Chrome and Firefox on any platform, are 
protected against exploitation as long as they are fully patched.

Mac OS X users using the latest Chrome and Firefox (6.0.1) versions are 
fine, but Safari and OS X itself have not been patched. There are 
instructions on doing so on the ps | Enable blog, although it is 
non-trivial.

More concerning is that mobile users are being left in the dark. There 
have been no updates, and no manual removal method for Android or 
iPhone/iPad/iPod Touch users who haven't jailbroken/rooted their devices.

Tap, tap, tap... Hello, Apple? Are you there? Your competitors 
(Microsoft, Google, Mozilla) are protecting their customers promptly and 
openly. I know you don't like to talk about security, but now would be a 
great time to show you care.

Correction: I mistakenly had noted Firefox 6.0.2 was current, when in 
fact 6.0.1 is the latest.