On July 2, Google engineers discovered unauthorized certificates for Google domains in circulation. They had been issued by the National Informatics Center in India. They are a trusted sub-authority under the Indian Controller of Certifying Authorities (CCA). They in turn are part of the Microsoft Root Store of certificates, so just about any program running on Windows, including Explorer and Chrome, will trust the unauthorized certificates.
The power of this attack is that the holder of the private key to the certificate can impersonate secure Google servers. Your browser would not report any security alerts because the certificate is “properly” signed and trusted within the built in trust hierarchy.
Firefox does not have the CCA in its root certificate list and so is not affected. Likewise Mac OS, iOS, Android, and Chrome OS are safe from this particular incident as well.
It is not known exactly why these certificates were issued, but the obvious use would be national surveillance.
While this attack seems to be targeted to India and only impacts the Microsoft ecosystem, the larger problem is much more general. There is a long list of trusted certificate authorities, which in turn delegate trust to a vast number of sub-authorities, any of whom can trivially create certificates for any domain which would be trusted by your computer.
In this case the attack was detected quickly, but if it had been very narrowly targeted detection would have been very unlikely and monitoring could have continued over very long periods.
As an end user, you can install Certificate Patrol in Firefox to automatically detect when a website’s certificate is changed. This would detect this kind of attack.
On Chrome you should enable “Check for server certificate revocation” in advanced settings. That will at least allow quick protection once a certificate is compromised.
Update: Microsoft has issued an emergency patch removing trust from the compromised authority.
Continuing the pattern of Internet restrictions I talked about before, Russia has passed a new law requiring Internet companies to keep the personal data of Russians in data centers within the country. The ostensible reason for this is to protect Russians against US Government snooping (in the wake of the Snowden leaks), and against other outside threats.
The law requires that companies doing business in Russia must open data centers within the borders by 2016 or be blocked.
There are many ways for people motivated to bypass these restriction to access whatever they want, but most people will just use what is available, giving the Russian government more ability to monitor the activities of their citizens themselves.
Thanks to WhoIsHostingThis for providing this informative infographic (click to enlarge). They provide a cool service that allows you to look up the hosting service behind any website.
A vulnerability in LIFX WiFi enabled light bulbs allowed researchers at Context Information Security to control the lights and access information about the local network setup.
The whole “Internet of Things” trend is introducing all kinds of new vulnerabilities. Because these devices tend to be cheap, don’t feel like tech, and don’t expose much user interface, users are unlikely to secure, patch, or otherwise maintain them.
As these devices proliferate in our networks, we will be introducing ever more largely invisible vulnerabilities, usually without any thought to the consequences.
- A decision giving Canadians more rights to Anonymity
- Iraq’s recent blocking of social media and more
- Iran’s outright criminalization of social media
- A court decision requiring warrants to access cell tower location data
- Another court stating that irrelevant seized data needs to be deleted after searches
- A massive failure of data anonymization in New York City
- A court requiring a defendant to decrypt his files so they can be searched
- The Supreme Court ruling protecting cellphones from warrantless search.
- Phone tracking streetlights in Chicago
- And a small change for iPhones bringing big privacy benefits