Codebreaker

Rogue Google certificate loose in the wild

John Moe Aug 30, 2011

Lock up your Googles! A forged certificate has been detected that can allow hackers to get into just about any Google account you can think of, including Gmail.

From the Telegraph:

The “man in the middle” attack also further undermines general confidence in the Secure Sockets Layer (SSL), a security protocol used to authenticate all kinds of sensitive internet traffic, including online banking. SSL certificates are meant to act as an independent third party to verify that communication between a website and a browser are secure.

The forgery appears to be based in Iran. This issue casts a light on the pretty weird and highly byzantine system of certifications and who is authorized to issue them. Short answer: dozens of places you wouldn’t expect, many are holdovers from the early days of the web. Since these certificates are what verify identity on the web, a lot of people think there need to be fewer issuing authorities that could be more easily managed.

There’s a lot happening in the world.  Through it all, Marketplace is here for you. 

You rely on Marketplace to break down the world’s events and tell you how it affects you in a fact-based, approachable way. We rely on your financial support to keep making that possible. 

Your donation today powers the independent journalism that you rely on. For just $5/month, you can help sustain Marketplace so we can keep reporting on the things that matter to you.