Tag Archives: Certificate

Security Holes Found in “Verisign Trusted” Online Stores

Softpedia

Freedom, the grey hat hacker that in the past period identified a lot of cross-site scripting (XSS) vulnerabilities in some important websites, returns with other interesting finds. He discovered a number of 25 online shops from the United Kingdom containing XSS security holes.

The worrying thing is that all of the sites bare Verisign Trusted, Internet Shopping is Safe, Internet Delivery is Safe, Verified by Visa, and MasterCard SecureCode logos.

http://news.softpedia.com/news/Security-Holes-Found-in-25-Verisign-Trusted-Online-Stores-Exclusive-255155.shtml

DigiNotar Files Bankruptcy

VASCO Announces Bankruptcy Filing by DigiNotar B.V.

VASCO Data Security International, Inc. (Nasdaq: VDSI) (www.vasco.com) today announced that a subsidiary, DigiNotar B.V., a company organized and existing in The Netherlands (“DigiNotar”) filed a voluntary bankruptcy petition under Article 4 of the Dutch Bankruptcy Act in the Haarlem District Court, The Netherlands (the “Court”) on Monday, September 19, 2011 and was declared bankrupt by the Court today.

The Court appointed a bankruptcy trustee (the “Trustee”) and a bankruptcy judge (the “Judge”) to manage all affairs of DigiNotar as it proceeds through the bankruptcy process. The Trustee will work under the supervision of the Judge and be responsible for the administration and liquidation of DigiNotar. The Trustee is required to report to the Judge and his reports are expected to be made available to the public and will serve as a source of information to the creditors and other stakeholders. Effective as of the beginning of business today, the Trustee has taken over the management of DigiNotar’s business activities.

http://www.vasco.com/company/press_room/news_archive/2011/news_vasco_announces_bankruptcy_filing_by_diginotar_bv.aspx

Beta News
Joe Wilcox
DigiNotar goes bust

Digital certificate authorities everywhere be warned: Hackers can destroy you.

http://betanews.com/2011/09/20/diginotar-goes-bust/

Certifiedbug: September 1, 2011: DigiNotar SSL Certificate Hack

Firefox and Thunderbird 6.0.2 released

Additional protection against fraudulent DigiNotar certificates.

https://www.mozilla.org/en-US/firefox/6.0.2/releasenotes/

http://www.mozilla.org/en-US/thunderbird/6.0.2/releasenotes/

If you do not receive an update notice when using the applications, select “Check for Updates” from the Help menu.

Download Firefox 6.0.2
https://www.mozilla.com/en-US/firefox/all.html

Download Thunderbird 6.0.2
http://www.mozilla.org/en-US/thunderbird/all.html

DigiNotar SSL Certificate Hack

Microsoft Security Advisory (2607712)
Fraudulent Digital Certificates Could Allow Spoofing
Published: August 29, 2011 | Updated: August 29, 2011

Microsoft is aware of at least one fraudulent digital certificate issued by DigiNotar, a certification authority present in the Trusted Root Certification Authorities Store, on all supported releases of Microsoft Windows. Although this is not a vulnerability in a Microsoft product, Microsoft is taking action to protect customers.

Microsoft has been able to confirm that one digital certificate affects all subdomains of google.com and may be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks against all Web browser users including users of Internet Explorer. Microsoft is continuing to investigate how many more certificates have been fraudulently issued. As a precautionary measure, Microsoft has removed the DigiNotar root certificate from the Microsoft Certificate Trust List.

All supported editions of Windows Vista, Windows 7, Windows Server 2008, and Windows Server 2008 R2 use the Microsoft Certificate Trust List to validate the trust of a certification authority. Users of these operating systems will be presented with an invalid certificate error when they browse to a Web site or try to install programs signed by the DigiNotar root certificate. In those cases users should follow the instructions in the message. Microsoft will release a future update to address this issue for all supported editions of Windows XP and Windows Server 2003.

Microsoft is continuing to investigate this issue and may release future updates to help protect customers.

http://www.microsoft.com/technet/security/advisory/2607712.mspx

Edit
V3.0 (September 6, 2011): Revised to announce the release of an update that addresses this issue.

Computerworld

Hackers may have obtained more than 200 digital certificates from a Dutch company after breaking into its network, including ones for Mozilla, Yahoo and the Tor project, a security researcher reported today.

The count is considerably higher than DigiNotar has acknowledged. Earlier this week, a company spokesman said that “several dozen” certificates had been acquired by the attackers.

http://www.computerworld.com/s/article/9219663/Hackers_may_have_stolen_over_200_SSL_certificates

Mac OS X can’t properly revoke dodgy digital certificates
http://www.computerworld.com/s/article/9219669/Mac_OS_X_can_t_properly_revoke_dodgy_digital_certificates

Firefox and Thunderbird 6.0.1 released after the Mozilla team removed DigiNotar from their root program to protect users.