Author Topic: Some news for the security conscious crowd  (Read 1051 times)

0 Members and 1 Guest are viewing this topic.

Offline Dan Graves

  • All Time Legend
  • *******
  • Posts: 6603
  • Good Vibes 171
  • Is on the Outside, looking in
Some news for the security conscious crowd
« on: January 04, 2013, 12:13:41 am »
http://googleonlinesecurity.blogspot.nl/2013/01/enhancing-digital-certificate-security.html?m=1

I've been advised to take a more paranoid stance on this than google has, and i've been told this company has issued a few more fraudulent certs over the last two years, some of which have expired, where others are still in use.
I can't go into any real detail, but i can suggest that you remove/revoke the certificates for this CA, and that you keep a close eye on any certs issues by the other Turkish CA (Tübitak) until things get properly sorted out.
"You need a little bit of insanity to do great things"
--Henry Rollins

(If you need me for something, PM ME FOR FSM'S SAKE ! I'm not around a lot, and I do NOT have thread notifications on!)

Offline LievenDV

  • Administrator
  • All Time Legend
  • *****
  • Posts: 7472
  • Good Vibes 152
    • Point Fifty
Re: Some news for the security conscious crowd
« Reply #1 on: January 04, 2013, 09:12:02 am »
Quote
they discovered that, in August 2011, they had mistakenly issued two intermediate CA certificates to organizations that should have instead received regular SSL certificates.

..I've got the feeling it wasn't just -these- 2 certs :)

my band: fb: Point Fifty | Instagram: Point Fifty

Offline TB-AV

  • Honorable Ex-Mod
  • All Time Legend
  • *****
  • Posts: 14966
  • Good Vibes 329
Re: Some news for the security conscious crowd
« Reply #2 on: January 04, 2013, 02:38:43 pm »
wonderful.....

I deleted those but I've got a load of Certs in my list. Is there any way to know which ones to get rid of?

Is it a good idea to pare those things down from time to time?

Gone

Offline Dan Graves

  • All Time Legend
  • *******
  • Posts: 6603
  • Good Vibes 171
  • Is on the Outside, looking in
Re: Some news for the security conscious crowd
« Reply #3 on: January 04, 2013, 02:57:51 pm »
Personally i've just taken out every single cert by them.
It's a pain in the ass, but i'd rather do the work and minimize further risk than let it be and possibly expose myself even further.
"You need a little bit of insanity to do great things"
--Henry Rollins

(If you need me for something, PM ME FOR FSM'S SAKE ! I'm not around a lot, and I do NOT have thread notifications on!)

Offline TB-AV

  • Honorable Ex-Mod
  • All Time Legend
  • *****
  • Posts: 14966
  • Good Vibes 329
Re: Some news for the security conscious crowd
« Reply #4 on: January 04, 2013, 03:31:41 pm »
I can't seem to eliminate those certs. I click delete / distrust and they go away but then come right back. In another window it does seem to say it's distrusted though.

How do you get rid of it?
Gone

Offline Dan Graves

  • All Time Legend
  • *******
  • Posts: 6603
  • Good Vibes 171
  • Is on the Outside, looking in
Re: Some news for the security conscious crowd
« Reply #5 on: January 05, 2013, 12:54:27 am »
Are you doing it in Browser or in your Windows certificate management ?
[edit] Mozilla is taking the same hardline approach as i am, or so it seems : http://www.theregister.co.uk/2013/01/04/turkish_fake_google_site_certificate/ [/edit]
"You need a little bit of insanity to do great things"
--Henry Rollins

(If you need me for something, PM ME FOR FSM'S SAKE ! I'm not around a lot, and I do NOT have thread notifications on!)

Offline TB-AV

  • Honorable Ex-Mod
  • All Time Legend
  • *****
  • Posts: 14966
  • Good Vibes 329
Re: Some news for the security conscious crowd
« Reply #6 on: January 05, 2013, 01:11:53 am »
I was just doing it in browser
Gone

Offline Dan Graves

  • All Time Legend
  • *******
  • Posts: 6603
  • Good Vibes 171
  • Is on the Outside, looking in
Re: Some news for the security conscious crowd
« Reply #7 on: January 05, 2013, 01:45:03 am »
Browsers tend to keep the certs, marking them and the CA as untrusted, and keeping them so you don't get a request to accept the cert any time you connect to a service that uses one of the untrusted certificates; that way it knows to just deny the connection.
"You need a little bit of insanity to do great things"
--Henry Rollins

(If you need me for something, PM ME FOR FSM'S SAKE ! I'm not around a lot, and I do NOT have thread notifications on!)

 

Get The Forum As A Mobile App