Security Updates
|
|
OP
Joined: Aug 2009
|
OK, Microsoft security update (haha), Adobe Reader security update, Apple security update, all in one day? What's up with that?
Mid 2010 MacBook Pro 13" 2.4GHz, 750GB SATA HD, 8 GB RAM, OS 10.7.5 1 HDX1500 2TB Ext.HD, 2 HDX1500 1TB Ext.HD HP Laserjet 6MP printing postscript via 10/100 Intel print server Netgear WN2500RP Range Extender (Ira rocks!) Linksys WRT1900AC Wireless Router Brother MFC-9340CDW Color Laser iPad Air
|
|
Re: Security Updates
|
Joined: Aug 2009
Likes: 1
|
Joined: Aug 2009
Likes: 1 |
They're all a result of the DigiNotar debacle.
DigiNotar is, or was, a Dutch certificate authority, that got hacked a while back. The hackers created a bunch of forged security certificates for a lot of high-profile Web sites, including Google and eBay, which they then sold on to the Iranian government. The Iranian government used the forged SSL certificates to intercept people's communications, read their Gmail mail, and so on.
Basically, a certificate authority (or CA) is the root of trust in the whole chain of SSL certificates. A security certificate is an encryption key that is issued to a Web site. The key contains the name of the Web site, the digital encryption signature of the CA where it came from, and the codes that let a Web browser set up a secure, encrypted link with that Web site.
The idea is that a CA will do background checks on a Web site before issuing a security certificate. When you connect to a Web site securely using SSL, the browser will check that the security certificate is valid, and that it was issued by a trustworthy company. Every browser carries a list of the CAs that the browser programmer considers reputable and trustworthy. If the browser sees a security certificate that didn't come from a reputable, trustworthy CA, the browser refuses to use it and warns you that the site might be bogus.
When DigiNotar got hacked, the hackers were able to create genuine security certificates--more than 500 in all--that let them set up sites that seemed like the real thing. The Iranian government for a time redirected any attempt to reach gmail.com to its own servers, which looked just like gmail and presented what seemed to be a legitimate security certificate for gmail. Worse, from a security standpoint, even though DigiNotar had been hacked, they didn't tell anyone about it for months.
The security updates from Apple, Adobe, and Microsoft all remove DigiNotar from the list of trusted CAs. From now on, Safari, Internet Explorer, Acrobat Reader (and others, including Chrome and Firefox) no longer trust DigiNotar security certificates. (Adobe Reader isn't a browser, but it can access the Web and it can read encrypted and signed PDFs, which is why it has a list of CAs in it.)
|
|
Re: Security Updates
|
Joined: Aug 2009
Likes: 4
|
Joined: Aug 2009
Likes: 4 |
In addition to tacit's excellent description, in case you missed it, is the lengthy article Hacker Rattles Security Circles by Somini Sengupta in The New York Times on September 12, 2011.
|
|
Re: Security Updates
|
|
OP
Joined: Aug 2009
|
Thanks, I'm glad I asked. I couldn't find news about a new virus or anything. That was full of intrigue. "Do I have to change passwords?" sez paranoid me living inside easygoing me.
|
|
Re: Security Updates
|
Joined: Aug 2009
Likes: 1
|
Joined: Aug 2009
Likes: 1 |
Nope. No need to change passwords unless you were using an Iranian ISP between June and September of this year to access Gmail, Google Groups, Google Accounts, Mozilla, the Mozilla Firefox repository, or the like.
The stolen certificates were only present, from everything I've been able to gather, on certain state-run ISPs inside Iran.
|
|
Re: Security Updates
|
|
OP
Joined: Aug 2009
|
|
|
Re: Security Updates
|
|
Joined: Aug 2009
|
Worse, from a security standpoint, even though DigiNotar had been hacked, they didn't tell anyone about it for months. For this specific reason alone, they should go away, completely, forever. In the business they are in, this is the ultimate unforgivable mistake. It's bad enough when you get hacked, but when you cover it up, that's simply unforgivable.
I work for the Department of Redundancy Department
|
|
Re: Security Updates
|
Joined: Aug 2009
Likes: 1
Moderator
|
Moderator
Joined: Aug 2009
Likes: 1 |
For this specific reason alone, they should go away, completely, forever. [...] It's bad enough when you get hacked, but when you cover it up, that's simply unforgivable. Looks like your wish got granted, at least formally. Earlier today the Haarlem District Court in the Netherlands declared DigiNotar BV bankrupt, following an earlier filing of a voluntary bankruptcy petition* by the company. That said, parent company Vasco will likely set up a successor to DigiNotar using its intellectual property etc. With regard to an active cover-up by DigiNotar, the preliminary report of an investigation into the DigiNotar hack doesn't indicate there was one. At this point it isn't clear yet whether DigiNotar will be prosecuted for criminal liability other than the fact that they didn't file a report of the break-in with the authorities as soon as they noticed it (presumably on June 19; see 'Timeline', section 5.4 of the report). *) This filing became inevitable after OPTA (the Dutch telecom authority) had revoked the company's license as Trusted Third Party. DigiNotar was ordered to revoke all existing certificates and forbidden to issue new ones.
alternaut ◉ moderator
|
|
Re: Security Updates
|
Joined: Aug 2009
Likes: 1
Moderator
|
Moderator
Joined: Aug 2009
Likes: 1 |
More user info on this topic (or 'tacit expanded'): Keep your Mac safe from Web security flaws.
alternaut ◉ moderator
|
|
|
|