Gmail Attack Highlights Web Insecurity

Gmail Attack Highlights Web Insecurity
A man-in-the-middle attack that relied on an unauthorized Google SSL certificate has revived concern over whether any Web communication is really secure.

By Thomas Claburn InformationWeek
August 30, 2011 09:19 AM

A user posting to Google's Gmail Help forum under the name "Alibo" claims to have received a warning from Google's Chrome browser that the SSL certificate he received when visiting Gmail was a fake. A self-described resident of Iran, "Alibo" speculates that either his government or ISP, ParsOnline, presented the fake certificate to intercept his communications.

"Alibo" posted a copy of the certificate to PasteBin, and security researcher Moxie Marlinspike confirmed via Twitter that the certificate has a valid signature. That means that the person or entity using it could use it to intercept Gmail traffic via a man-in-the-middle (MITM) attack.

Google acknowledged the reported MITM attack and noted that the certificate authority (CA) issuing the certificate, DigiNotar, should not be issuing certificates for Google. The company also called attention to a Chrome security feature that blocked the attack.

"We're pleased that the security measures in Chrome protected the user and brought this attack to the public's attention," a spokesperson said in an email. "While we investigate, we plan to block any sites whose certificates were signed by DigiNotar."

To continue reading, here is the complete posting.

CookGroupAugust 30, 2011