DigiNotar Certificate Authority Comprimise - Some Early Take-aways
During the past week, the compromise of Dutch certificate authority DigiNotar has been keeping the security community watching the news. SSL certificates allow encryption of web-traffic between users and servers, and the certificate authorities’ job is to give people some reasonable confidence that the server a user is talking to is who they claim to be. As a result of this attack, several fraudulent certificates have been issued allows an attacker to make fake websites in the names of 531 (so far) high profile entities such as Microsoft, Windows Update, Mozilla, Google, the CIA, MI6, and Mossad to name a few. These fake websites are trusted by web-browsers because they seem to have been authorized by DigiNotar. In response to this attack, web-browser companies like Mozilla have been pushing critical updates to disable trust on these websites. While the situation is on-going, preliminary reports by the Dutch government point to wide spread use of unprotected computers, out of date software, poor password policies, and malicious software infections at a company that, until last week, exceeded some of the most stringent oversight and security standards in Europe.
10 Notes/ Hide
-
kalidor reblogged this from digital-unwired
-
digital-unwired posted this
