I transcribe a conversation (fictitious only in part) with an ordinary Internet user, concerned about security and who has been interested in the latest incidents with fake certificates. He wanted to know what position to take. With a carefree attitude, I intend to raise awareness about the enormous distance that separates SSL/TLS from the common user, and how it is "socially broken".
-So, what has happened is that Google's certificates have been stolen, right? As if your ID is stolen. This is what I have read - my friend asks really convinced, because it is true that it is documented in the reputable press.
-They have not been stolen exactly. Someone has breached the security of a certification company (DigiNotar) and has generated their own fake certificates that pass as valid for the programs that use it.
-Then it's like it's fooling everybody, and they can impersonate Google. No? Wow, I can't trust this company... it has more and more security problems...
- Publicidad --It's not a Google security issue. In fact, it has nothing to do with it and it is not their responsibility. What's more, it has been discovered that it has not only been from Google... there are many certificates created from other important domains.
-Whose responsibility is it then?
-Of the certifying entities that do not validate the certificates well or that for any reason, leave their systems exposed so that the attackers can access.
And why isn't that controlled by a major company or a government? DigiNotar does not seem very powerful, you just have to see the page...
- Excellent question. I'll just tell you that with digital certificates a lot of money moves... and the more intermediaries, the more turnover. In any case the problem for the ordinary user is that they can trick him and lead him to a fake page, yes, but previously they would have to redirect your traffic.
Complete content in original Hispasec source
