.

DigiNotar Security Incident (Certificate)

<<

Darktaurus

User avatar

Full Member
Full Member

Posts: 181

Joined: Thu Sep 03, 2009 8:48 am

Post Tue Aug 30, 2011 1:24 pm

DigiNotar Security Incident (Certificate)

It looks like it is time to check your browsers for this cert.  Many are suggesting on your *nix boxes to use:

cd /etc/ssl/certs/
rm DigiNotar_Root_CA.pem

It seems like SSL is really getting hit these days.  And I do not think EV-SSL certs are going to save the day...


http://www.vasco.com/company/press_room ... ident.aspx
OSCE, OSCP, OSWP, CISSP, GPEN

www.agoonie.com
<<

cd1zz

User avatar

Recruiters
Recruiters

Posts: 566

Joined: Sun Oct 03, 2010 9:01 pm

Post Tue Aug 30, 2011 3:25 pm

Re: DigiNotar Security Incident (Certificate)

Its kind of a broken system. Moxie has great talks on this. If you allow just about anyone to be a CA or if you're a CA and have shitty security practices, then it ruins the integrity of the entire system. If we cant count on CAs to provide valid certs to legit companies then what good is it? At least the communication channel is encrypted.
<<

lorddicranius

User avatar

Sr. Member
Sr. Member

Posts: 448

Joined: Thu Mar 03, 2011 3:54 am

Post Tue Aug 30, 2011 3:33 pm

Re: DigiNotar Security Incident (Certificate)

Moxie introduced his alternative for the current CA structure this year at BlackHat/DEFCON:

http://convergence.io/index.html

Has anybody had a chance to check it out?

I just came across this via Twitter: http://codereview.chromium.org/7791032/ ... ificate.cc
Last edited by lorddicranius on Tue Aug 30, 2011 4:46 pm, edited 1 time in total.
GSEC, eCPPT, Sec+
<<

Darktaurus

User avatar

Full Member
Full Member

Posts: 181

Joined: Thu Sep 03, 2009 8:48 am

Post Tue Aug 30, 2011 8:11 pm

Re: DigiNotar Security Incident (Certificate)

cd1zz wrote:Its kind of a broken system. Moxie has great talks on this. If you allow just about anyone to be a CA or if you're a CA and have shitty security practices, then it ruins the integrity of the entire system. If we cant count on CAs to provide valid certs to legit companies then what good is it? At least the communication channel is encrypted.


I remember that especially when he released sslstrip.  I just knew it was only a matter of time after that.  I guess a broken system on its way to being crushed.  But it will be interesting to see alternatives implemented.  I remember being at a talk by Marcus Ranum and he wanted to change AV since that has been defeated, crushed and left for dead.  He had some good interesting ideas of changing the "already too late" paradigm.  But we will see.  I know we need to have something or more dark days ahead. 


lorddicranius wrote:Moxie introduced his alternative for the current CA structure this year at BlackHat/DEFCON:

http://convergence.io/index.html

Has anybody had a chance to check it out?

I just came across this via Twitter: http://codereview.chromium.org/7791032/ ... ificate.cc



I am checking that out now.  Thanks for the links!
OSCE, OSCP, OSWP, CISSP, GPEN

www.agoonie.com
<<

j0rDy

User avatar

Hero Member
Hero Member

Posts: 591

Joined: Tue Feb 23, 2010 4:55 am

Location: Netherlands

Post Wed Aug 31, 2011 1:45 am

Re: DigiNotar Security Incident (Certificate)

be aware: Diginotar just revealed that there might me more certificates given out to the wrong people. Funny detail: the whole Dutch government has Diginotar certs, including sites to do taxes etc.
CISSP, CEH, ECSA, OSCP, OSWP

earning my stripes appears to be a road i must travel alone...with a little help of EH.net
<<

Triban

User avatar

Hero Member
Hero Member

Posts: 620

Joined: Fri Feb 19, 2010 4:17 pm

Post Wed Aug 31, 2011 9:18 am

Re: DigiNotar Security Incident (Certificate)

It all comes down to cost, suddenly paying a couple hundred dollars a year for a cert may not be so bad (Verisign).  All these other companies charge pennies in comparison.  I would say if you are any major player on the web then you are better off with a higher end CA for your site certs.  If anything if they get breached, you can get them for more damages. :-p  But seriously, companies want to save money so the $70 cert is much more attractive than the $600 cert.  You get what you pay for. 

Might as well install your own CA and just use self signed :D
Certs: GCWN
(@)Dewser
<<

lorddicranius

User avatar

Sr. Member
Sr. Member

Posts: 448

Joined: Thu Mar 03, 2011 3:54 am

Post Wed Aug 31, 2011 1:55 pm

Re: DigiNotar Security Incident (Certificate)

Here's a vid of Moxie's preso at BlackHat this year entitled "SSL and the Future of Authenticity"

http://www.youtube.com/watch?v=Z7Wl2FW2TcA

It's a great video, really funny and informative.
Last edited by lorddicranius on Wed Aug 31, 2011 2:37 pm, edited 1 time in total.
GSEC, eCPPT, Sec+
<<

j0rDy

User avatar

Hero Member
Hero Member

Posts: 591

Joined: Tue Feb 23, 2010 4:55 am

Location: Netherlands

Post Thu Sep 01, 2011 2:34 am

Re: DigiNotar Security Incident (Certificate)

3xban wrote:Might as well install your own CA and just use self signed :D


there you go, problem fixed ;)
CISSP, CEH, ECSA, OSCP, OSWP

earning my stripes appears to be a road i must travel alone...with a little help of EH.net

Return to News from the Outside World

Who is online

Users browsing this forum: No registered users and 0 guests

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software