Microsoft blacklists fraudulently issued SSL certificate
Microsoft released an update to blacklist an SSL certificate for one of its domain names that was issued to an unauthorized third party.
Microsoft released an update to blacklist an SSL certificate for one of its domain names that was issued to an unauthorized third party.
New cases of insecure HTTPS traffic interception are coming to light as researchers probe software programs for implementations that could enable malicious attacks. The latest software to open a man-in-the-middle hole on users' PCs is a new version of PrivDog, an advertising product with ties to security vendor Comodo.
It's generally accepted that antivirus programs provide a necessary protection layer, but organizations should audit such products before deploying them on their systems because many of them contain serious vulnerabilities, a researcher warned.
Tens of thousands of new digital certificates have been issued by Comodo in the wake of the "Heartbleed" security flaw, which has put Internet users' data at risk.
McAfee research indicates that a steep rise in the amount of malware signed with legitimate digital certificates -- not forged or stolen ones -- is a growing threat that raises the question whether there should be some kind of "certificate reputation services" or other method to stop certificate abuse.
Responding to the increasing number of threats aimed at certificate authorities and the ecosystem of trusted online transactions they represent, seven certificate authorities have come together to form an advocacy group to advance security standards and promote best practices.
With cyber-criminals increasingly exploiting digital certificates to undermine security the vendors with the most influence as certificate authorities have banded together to try and speak as an industry group to advocate for security best practices.
The SSL certificate authorities like Comodo that have had their security undermined by hackers shouldn't be trusted, and in fact, the way the entire SSL certificate industry of today works can and should be replaced with something better, says Moxie Marlinspike, a security expert who's come up with a plan he says will do that.
News of an Iranian hacker duping certification authority Comodo [1] into issuing digital certificates to one or more unauthorized parties has caused an uproar in the IT community, moving some critics to call for Microsoft and Mozilla to remove Comodo as a trusted root certification authority from the systems under their control. Though the hacker managed his feat by first compromising a site containing a hard-coded logon name and password, then generating certificates for several well-known sites, including Google, Live.com, Skype, and Yahoo, I'm not bothered by the technical issue. Instead, my main concern over Public Key Infrastructure (PKI) and digital certification is that users don't understand it.
For the most part, people don't care about digital certificates and the security they could provide. I have a hard time getting worked up about a system error that 99 percent of users simply ignore.
PKI is not the culprit