Tuesday, September 6, 2011

Hacked Certificate Authority

DigiNotar, a root CA, was compromised last week. That led to many rogue certificates for respected names such as Google, Yahoo being issued. It is assumed that these certificates were issued for the sake of carrying on man in the middle attack against these companies. The list of rogue certificates can be found on Tor project web site:


Of particular interest among the rogue certificates are two for *.*.com and *.*.org. RFC 2818 does not say if these certificates are valid. Accordingly ,the interpretation of whether they are allowed to pass host verification is up to the browsers. Fortunately, most browsers do the logical thing, they require at least two concrete domain name components. This is in alignment with RFC 2109 for cookie management, too.

Let's hope all browsers are sane.

No comments:

Post a Comment