{"id":5958,"date":"2014-07-10T10:00:52","date_gmt":"2014-07-10T14:00:52","guid":{"rendered":"http:\/\/blog.nccomputertech.com\/?p=5958"},"modified":"2014-07-10T10:00:52","modified_gmt":"2014-07-10T14:00:52","slug":"crypto-certificates-impersonating-google-and-yahoo-pose-threat-to-windows-users","status":"publish","type":"post","link":"https:\/\/nccomputertech.com\/techtalk\/2014\/07\/10\/crypto-certificates-impersonating-google-and-yahoo-pose-threat-to-windows-users\/","title":{"rendered":"Crypto certificates impersonating Google and Yahoo pose threat to Windows users"},"content":{"rendered":"

\"\"<\/a><\/p>\n

People using Internet Explorer and possibly other Windows applications could be at risk of attacks that abuse counterfeit encryption certificates recently discovered masquerading as legitimate credentials for Google, Yahoo, and possibly an unlimited number of other Internet properties.<\/p>\n

A blog post published Tuesday by Google security engineer Adam Langley said the fraudulent transport layer security (TLS) certificates were issued by the National Informatics Centre (NIC) of India, an intermediate certificate authority that is trusted and overseen by India’s Controller of Certifying Authorities (CCA). The CCA, in turn, is trusted by the Microsoft Root Store, a library that IE and many other Windows apps rely on to process the TLS certificates that banks, e-mail providers, and other online services use to encrypt traffic and prove their authenticity. (Firefox, Thunderbird, and Chrome on Windows aren’t at risk. More about that later in this post.)<\/p>\n

Unknown scope<\/p>\n

In an update posted Wednesday, Langley said the CCA confirmed that the bogus certificates were the result of a compromise of NIC’s certificate issuance process. The CCA reportedly said only four certificates were compromised. In a sign the CCA’s findings aren’t reliable, or at least are only tentative, Langley went on to say Google researchers are aware of still more counterfeit credentials stemming from the NIC breach.<\/p>\n

“The four certificates provided included three for Google domains (one of which we were previously aware of) and one for Yahoo domains,” he wrote Wednesday. “However, we are also aware of misissued certificates not included in that set of four and can only conclude that the scope of the breach is unknown.”<\/p>\n

Further Reading<\/p>\n

How Heartbleed transformed HTTPS security into the stuff of absurdist theater<\/p>\n

Certificate revocation checking in browsers is “useless,” crypto guru warns.<\/p>\n

The CCA has already revoked all certificates held by intermediate authority NIC. The revocation in theory means Windows users who encounter one of the fraudulently issued TLS certificates will be alerted through mechanisms including the certificate revocation list and online certificate status protocol, which are supposed to flag revoked credentials before they’re trusted by a browser or other app. In practice, and as Ars reported following the catastrophic Heartbleed vulnerability, the real-time revocation checks are trivial for attackers to bypass.<\/p>\n

House of cards<\/p>\n

The result is that IE and other apps that rely on Windows to know which certificates to trust have no reliable way of detecting the bogus credentials at the moment. Worse still, at this early stage in the investigation, there’s no way of knowing just how many certificates were fraudulently issued. Based on Langley’s account, there are at least five impostors (the four confirmed by CCA and at least one other not included in that list seen by Google), but it’s hard to imagine attackers with the control over a Windows-trusted authority would stop at just a handful. Absent some technical constraint, there’s every reason the attackers minted hundreds, thousands, or even more of the fake IDs.<\/p>\n

It was precisely this scenario following the 2011 compromise of DigiNotar that prompted Microsoft to hardwire the revocation of the Dutch certificate authority directly into Windows. By the time Microsoft and other software makers responded, more than 300,000 Internet users, mostly located in and around Iran, were exposed to the certificates when accessing Google mail. Asked Wednesday afternoon if Microsoft planned to follow a similar path this time, company officials issued the following statement:<\/p>\n

“We are aware of the mis-issued third-party certificates and we have not detected any of the certificates being issued against Microsoft domains. We are taking the necessary precautions to help ensure that our customers remain protected.”<\/p>\n

Full Story: Crypto certificates impersonating Google and Yahoo pose threat to Windows users | Ars Technica<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"

People using Internet Explorer and possibly other Windows applications could be at risk of attacks that abuse counterfeit encryption certificates […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","ast-disable-related-posts":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_feature_clip_id":0,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2},"jetpack_post_was_ever_published":false},"categories":[5,9,11],"tags":[178,341,424,536,1178,1265],"class_list":["post-5958","post","type-post","status-publish","format-standard","hentry","category-microsoft","category-software","category-windows","tag-certificate-authorities","tag-exploit","tag-google","tag-internet-explorer","tag-vulnerability","tag-yahoo"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/papNkV-1y6","jetpack-related-posts":[{"id":7965,"url":"https:\/\/nccomputertech.com\/techtalk\/2015\/04\/02\/google-chrome-will-banish-chinese-certificate-authority-for-breach-of-trust-updated\/","url_meta":{"origin":5958,"position":0},"title":"Google Chrome will banish Chinese certificate authority for breach of trust [Updated]","author":"NCCT","date":"April 2, 2015","format":false,"excerpt":"Google's Chrome browser will stop trusting all digital certificates issued by the China Internet Network Information Center following a major trust breach last week that led to the issuance of unauthorized credentials for Gmail and several other Google domains. The move could have major consequences for huge numbers of Internet\u2026","rel":"","context":"In "Security"","block_context":{"text":"Security","link":"https:\/\/nccomputertech.com\/techtalk\/category\/security\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/nccomputertech.com\/techtalk\/wp-content\/uploads\/2015\/04\/handcuffs-640x301.jpg?resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/nccomputertech.com\/techtalk\/wp-content\/uploads\/2015\/04\/handcuffs-640x301.jpg?resize=350%2C200 1x, https:\/\/i0.wp.com\/nccomputertech.com\/techtalk\/wp-content\/uploads\/2015\/04\/handcuffs-640x301.jpg?resize=525%2C300 1.5x"},"classes":[]},{"id":5780,"url":"https:\/\/nccomputertech.com\/techtalk\/2014\/06\/17\/preview-cutting-edge-internet-explorer-features-early-with-new-test-build-browser\/","url_meta":{"origin":5958,"position":1},"title":"Preview cutting-edge Internet Explorer features early with new test build browser","author":"NCCT","date":"June 17, 2014","format":false,"excerpt":"Developers can try out new features of the next version of Internet Explorer using a test edition Microsoft has released for their use. The Internet Explorer Developer Channel, which can be downloaded for Windows 8.1 and Windows 7 SP1, runs independently of the user\u2019s copy of IE, allowing programmers to\u2026","rel":"","context":"In "Microsoft"","block_context":{"text":"Microsoft","link":"https:\/\/nccomputertech.com\/techtalk\/category\/microsoft\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":6231,"url":"https:\/\/nccomputertech.com\/techtalk\/2014\/08\/11\/microsoft-to-issue-many-windows-patches\/","url_meta":{"origin":5958,"position":2},"title":"Microsoft to issue many Windows patches","author":"NCCT","date":"August 11, 2014","format":false,"excerpt":"Microsoft has released their advance notification for the August 2014 Patch Tuesday updates. There will be a total of nine updates issued next Tuesday, August 12, two of them rated critical. The two critical bugs affect Windows and Internet Explorer. The critical Windows update affects only business and professional editions\u2026","rel":"","context":"In "Microsoft"","block_context":{"text":"Microsoft","link":"https:\/\/nccomputertech.com\/techtalk\/category\/microsoft\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":8742,"url":"https:\/\/nccomputertech.com\/techtalk\/2015\/11\/09\/microsoft-may-block-sha1-certificates-sooner-than-expected\/","url_meta":{"origin":5958,"position":3},"title":"Microsoft may block SHA1 certificates sooner than expected","author":"NCCT","date":"November 9, 2015","format":false,"excerpt":"Encrypted sites running old certificates will be inaccessible from modern browsers. By Zack Whittaker for Zero Day While about one-in-four encrypted websites are still using weak security certificates, Microsoft is considering taking matters into its own hands. With the possibility of an attack becoming ever more possible, the software giant\u2026","rel":"","context":"In "Microsoft"","block_context":{"text":"Microsoft","link":"https:\/\/nccomputertech.com\/techtalk\/category\/microsoft\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":5710,"url":"https:\/\/nccomputertech.com\/techtalk\/2014\/06\/10\/microsoft-pushes-out-massive-security-update-for-internet-explorer\/","url_meta":{"origin":5958,"position":4},"title":"Microsoft pushes out massive security update for Internet Explorer","author":"NCCT","date":"June 10, 2014","format":false,"excerpt":"Microsoft pushes out massive security update for Internet Explorer Six down, six to go. Today is the Microsoft Patch Tuesday for June, and it comes with seven new security bulletins. The good news is that five of the seven are only rated as Important, but one of the two Critical\u2026","rel":"","context":"In "Microsoft"","block_context":{"text":"Microsoft","link":"https:\/\/nccomputertech.com\/techtalk\/category\/microsoft\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":6254,"url":"https:\/\/nccomputertech.com\/techtalk\/2014\/08\/20\/internet-explorer-running-slow-dialog-boxes-could-be-at-fault\/","url_meta":{"origin":5958,"position":5},"title":"Internet Explorer running slow? Dialog boxes could be at fault","author":"NCCT","date":"August 20, 2014","format":false,"excerpt":"If you\u2019ve noticed Internet Explorer running slowly lately\u2014or just halting altogether\u2014here\u2019s one possible cause: dialog boxes. On Friday, the same day that Microsoft recommended users download the latest updates for Windows 7 and 8, Microsoft issued a hotfix for Internet Explorer. According to a support article issued Friday, \"web applications\u2026","rel":"","context":"In "Microsoft"","block_context":{"text":"Microsoft","link":"https:\/\/nccomputertech.com\/techtalk\/category\/microsoft\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]}],"_links":{"self":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/posts\/5958","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/comments?post=5958"}],"version-history":[{"count":0,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/posts\/5958\/revisions"}],"wp:attachment":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/media?parent=5958"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/categories?post=5958"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/tags?post=5958"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}