Home
Posted By: slolerner Security Updates - 09/16/11 12:35 AM
OK, Microsoft security update (haha), Adobe Reader security update, Apple security update, all in one day? What's up with that?
Posted By: tacit Re: Security Updates - 09/16/11 03:41 AM
They're all a result of the DigiNotar debacle.

DigiNotar is, or was, a Dutch certificate authority, that got hacked a while back. The hackers created a bunch of forged security certificates for a lot of high-profile Web sites, including Google and eBay, which they then sold on to the Iranian government. The Iranian government used the forged SSL certificates to intercept people's communications, read their Gmail mail, and so on.

Basically, a certificate authority (or CA) is the root of trust in the whole chain of SSL certificates. A security certificate is an encryption key that is issued to a Web site. The key contains the name of the Web site, the digital encryption signature of the CA where it came from, and the codes that let a Web browser set up a secure, encrypted link with that Web site.

The idea is that a CA will do background checks on a Web site before issuing a security certificate. When you connect to a Web site securely using SSL, the browser will check that the security certificate is valid, and that it was issued by a trustworthy company. Every browser carries a list of the CAs that the browser programmer considers reputable and trustworthy. If the browser sees a security certificate that didn't come from a reputable, trustworthy CA, the browser refuses to use it and warns you that the site might be bogus.

When DigiNotar got hacked, the hackers were able to create genuine security certificates--more than 500 in all--that let them set up sites that seemed like the real thing. The Iranian government for a time redirected any attempt to reach gmail.com to its own servers, which looked just like gmail and presented what seemed to be a legitimate security certificate for gmail. Worse, from a security standpoint, even though DigiNotar had been hacked, they didn't tell anyone about it for months.

The security updates from Apple, Adobe, and Microsoft all remove DigiNotar from the list of trusted CAs. From now on, Safari, Internet Explorer, Acrobat Reader (and others, including Chrome and Firefox) no longer trust DigiNotar security certificates. (Adobe Reader isn't a browser, but it can access the Web and it can read encrypted and signed PDFs, which is why it has a list of CAs in it.)
Posted By: grelber Re: Security Updates - 09/16/11 11:45 AM
In addition to tacit's excellent description, in case you missed it, is the lengthy article Hacker Rattles Security Circles by Somini Sengupta in The New York Times on September 12, 2011.
Posted By: slolerner Re: Security Updates - 09/16/11 04:48 PM
Thanks, I'm glad I asked. I couldn't find news about a new virus or anything. That was full of intrigue. "Do I have to change passwords?" sez paranoid me living inside easygoing me.

Posted By: tacit Re: Security Updates - 09/16/11 08:54 PM
Nope. No need to change passwords unless you were using an Iranian ISP between June and September of this year to access Gmail, Google Groups, Google Accounts, Mozilla, the Mozilla Firefox repository, or the like.

The stolen certificates were only present, from everything I've been able to gather, on certain state-run ISPs inside Iran.
Posted By: slolerner Re: Security Updates - 09/16/11 10:07 PM
ummmm... nope.
Posted By: Virtual1 Re: Security Updates - 09/19/11 06:12 PM
Originally Posted By: tacit
Worse, from a security standpoint, even though DigiNotar had been hacked, they didn't tell anyone about it for months.

For this specific reason alone, they should go away, completely, forever. In the business they are in, this is the ultimate unforgivable mistake. It's bad enough when you get hacked, but when you cover it up, that's simply unforgivable.
Posted By: alternaut Re: Security Updates - 09/20/11 04:58 PM
Originally Posted By: Virtual1
For this specific reason alone, they should go away, completely, forever. [...]
It's bad enough when you get hacked, but when you cover it up, that's simply unforgivable.

Looks like your wish got granted, at least formally. Earlier today the Haarlem District Court in the Netherlands declared DigiNotar BV bankrupt, following an earlier filing of a voluntary bankruptcy petition* by the company. That said, parent company Vasco will likely set up a successor to DigiNotar using its intellectual property etc.

With regard to an active cover-up by DigiNotar, the preliminary report of an investigation into the DigiNotar hack doesn't indicate there was one. At this point it isn't clear yet whether DigiNotar will be prosecuted for criminal liability other than the fact that they didn't file a report of the break-in with the authorities as soon as they noticed it (presumably on June 19; see 'Timeline', section 5.4 of the report).

*) This filing became inevitable after OPTA (the Dutch telecom authority) had revoked the company's license as Trusted Third Party. DigiNotar was ordered to revoke all existing certificates and forbidden to issue new ones.
Posted By: alternaut Re: Security Updates - 09/24/11 05:33 PM
More user info on this topic (or 'tacit expanded'): Keep your Mac safe from Web security flaws.
© FineTunedMac