[cryptography] DigiNotar SSL Hack Diagram | Cyber Chatter

Jeffrey Walton noloader at gmail.com
Tue Sep 20 16:21:03 EDT 2011


On Tue, Sep 20, 2011 at 10:37 AM, el GaTo mAlO <gatomalo at uscyberlabs.com> wrote:
> I am a n00b so be nice. I wrote this post about the Diginotar hack and I
> kid of mind-map it. Any comments would be welcomed.
>
> http://uscyberlabs.com/blog/2011/09/16/diginotar-ssl-hack-diagram/
> Timeline of DigiNotar SSL Hack. | Chronological Order of DigiNotar
> SSL-CA Hack
> http://uscyberlabs.com/blog/2011/09/12/timeline-diginotar-ssl-hack/
Apple patched 10.6.8 and 10.7 desktops and servers on Sept 09,
iDevices , and other desktops and servers are still vulnerable.
http://support.apple.com/kb/HT4920.

Microsoft smart phones might still be vulnerable.
http://www.pcworld.com/businesscenter/article/239607/diginotar_certificates_are_pulled_but_not_on_smartphones.html

Google's smart phone position
(http://code.google.com/p/cyanogenmod/issues/detail?id=4260): "Why
would we remove the root certificate?  DigiNotar hasn't been revoked
as a CA... MITM attacks are pretty rare." (Sep 1, 2011). On Sept 2,
2011 the issue was closed. On Sept 10, 2011 they took partial action
(apparently, the project maintainers were getting tired of folks
re-opening the issue).

Recall that Marsh pointed out that folks thought they were being
MITM'd at least 6 days earlier
(https://www.google.com/support/forum/p/gmail/thread?tid=2da6158b094b225a&hl=en).

Apparently, Google does not want to disrupt e-commerce in the western
hemisphere at the expense of folks in the eastern hemisphere. +1 to
Google.

Jeff



More information about the cryptography mailing list