Hackers Scoop Google Security certificate
p2pnet view Security:-“Every year or so, a crisis or three exposes deep fractures in the system that’s supposed to serve as the internet’s foundation of trust. In 2008, it was the devastating weakness in SSL, or secure sockets layer, certificates issued by a subsidiary of VeriSign. The following year, it was the minting of a PayPal credential that continued to fool Internet Explorer, Chrome and Safari browsers more than two months after the underlying weakness was exposed.
“And in 2010, it was the mystery of a root certificate included in Mac OS X and Mozilla software that went unsolved for four days until RSA Security finally acknowledged it fathered the orphan credential.
“This year, it was last month’s revelation that unknown hackers broke into the servers of a reseller of Comodo, one of the world’s most widely used certificate authorities, and forged documents for Google Mail and other sensitive websites. It took two, seven and eight days for the counterfeits to be blacklisted by Google Chrome, Mozilla Firefox and IE respectively, meaning users of those browsers were vulnerable to unauthorized monitoring of some of their most intimate web conversations during that time.”
That was Downer Goodin In the Register.
He went on: “SSL made its debut in 1994 as a way to cryptographically secure e-commerce and other sensitive internet communications. A private key at the heart of the system allows website operators to prove that they are the rightful owners of the domains visitors are accessing, rather than impostors who have hacked the users’ connections. Countless websites also use SSL to encrypt passwords, emails and other data to thwart anyone who may be monitoring the traffic passing between the two parties.”
Now, “Details of the certificate were posted on Pastebin.com last Saturday. Pastebin.com warns, Computerworld.. Computerworld states.
Because the certificate is valid, a browser would not display a warning message if its user went to a website signed with the certificate, Says the story, Adding, “Security researcher and Tor developer Jacob Applebaum confirmed that the certificate was valid in an email answer to Computerworld questions, as did noted SSL researcher Moxie Marlinspike on Twitter,
“Yep, just verified the signature, that pastebin *.google.com certificate is real,” said Marlinspike.
“Everyone is noticing that when they go to their Google Account through AdWords, AdSense, Analytics, or any Google page that requires SSL, they are being prompted with a security warning, says Search Engine Land, going on, “Typically, its not a major deal, right?
“Well, not if you are trying to get customers to buy on your site. As Tim Gross explains, if you are using Google Checkout on your site, this is having a major impact.
“Not only that, if you are using the conversion tracking scripts for AdWords and your potential buyer clicked on your ad, they may be prompted with a security warning and leave your site. There goes your sale, and you paid for that.
“Well, not if you are trying to get customers to buy on your site. As Tim Gross explains, if you are using Google Checkout on your site, this is having a major impact. Not only that, if you are using the conversion tracking scripts for AdWords and your potential buyer clicked on your ad, they may be prompted with a security warning and leave your site. There goes your sale, and you paid for that.”
Stay tuned …
(Cheers, Lawrence)
