Google has reported on its security blog that most of the people affected by the maneuver are in Iran (the user who warned of the problem claims to be there).
The Dutch company DigiNotar, one of the hundreds of certification authorities that exist in the world, had issued a certificate for Google sites, which did not end up in the hands of the internet giant, but of potential cybercriminals. It's unclear how that certificate was issued or how it got to the wrong people.
What are these certificates?
In simple terms, these certificates consist of a kind of virtual form that the website that is being visited "presents" to the user's browser to confirm that it is indeed who it claims to be.If the browser recognizes the certificate, it establishes the connection and starts exchanging data with confidence. To recognize this, the browser itself has a list of entities that can issue certificates, among which are certificate authorities, such as DigiNotar.
Google, Microsoft and Mozilla, which provide the most popular web browsers (Chrome, Internet Explorer and Firefox, respectively), have tried to address the problem.
Google said it will reject DigiNotar's certificates in Chrome, while it continues to investigate; and clarified that that certification authority should not issue Google certificates.
Microsoft reported that it has removed DigiNotar's general certificate (which in turn validates certificates issued by the company) from the list authorized by its browsers, so if users try to visit a site with certificates from that company they will receive an error message.
For its part, Mozilla has decided directly to launch new versions of its browser (for PCs and mobile devices) and its Thunderbird email client.
It has also suggested to its users to disable DigiNotar certificates in Firefox preferences.
Almost two months
The thing is that while the companies' announcements are from this Monday, the fake certificate was issued on July 10 and no one knows for sure what it could have been used for during all this time.The truth is that, as Mateusz Pawlowski, an internet infrastructure specialist at the BBC, explained, the mere fact of having the fake certificate is not enough to intercept the user's connections with Google sites.
It is also necessary to make the traffic pass through some server controlled by the one who is trying to spy on users.
For that, the expert said, the spy would need to penetrate the victim's computer or the systems of his Internet service provider (ISP), in order to divert the traffic that circulates between the user's browser and the Google site he is visiting, to constitute himself as an intermediary of that communication.
Authoritarian states, with greater control over ISPs, have an easier time doing something like this than other nations.
But so can private actors, Pawlowski said.
New alternatives
Cases like this have led to the fact that in the world of Internet security the effectiveness of certificates and the structure of certification agencies are increasingly questioned.In a note posted on its website, the Electronic Frontiers Foundation (EFF) says this system, created decades ago to verify online transactions, is not in a position to meet today's security needs.
"Today internet users rely on this system to protect their privacy from (the eyes) of nation-states," he says. "We doubt that it can bear this burden."
There are several initiatives that seek to overcome this system that today seems to have become too susceptible to being violated.
The EFF has established a certificate observatory and another initiative called Convergence seeks to completely replace its use.
And Chrome, Google's browser, already has a built-in verification system for the company's sites that prevents certificate fraud.
In fact, that feature was what allowed the user who wrote on their forums to detect that they were facing a fake certificate.
Source: BBC
