Ξ welcome to cryptostorm's member forums ~ you don't have to be a cryptostorm member to post here Ξ
∞ take a peek at our legendary cryptostorm_is twitter feed if you're into that kind of thing ∞
Ξ we're rolling out voodoo network security across cryptostorm - big things happening, indeed! Ξ
Ξ any OpenVPN configs found on the forum are likely outdated. For the latest, visit GitHub Ξ

[eSP] Google Hit Again by Unauthorized SSL/TLS Certificates

Industry news items concerning VPNs, darknets, crypto, surveillance and secure computing.
User avatar

Topic Author
parityboy
Site Admin
Posts: 1096
Joined: Wed Feb 05, 2014 3:47 am

[eSP] Google Hit Again by Unauthorized SSL/TLS Certificates

Postby parityboy » Thu Mar 26, 2015 12:53 am

On March 23 Google reported that unauthorized certificates for Google domains were issued by MCS Holdings, which is an intermediate certificate authority under CNNIC. Because CNNIC is a trusted CA that is included in every major Web browser, the certificate might have been trusted by default, even though it wasn't legitimate.

Google, thanks to its own past experience, leverages HTTP public key pinning (HPKP) in Chrome and Firefox. With HPKP, sites can "pin" certificates that they will allow. As such, fraudulent certificates not pinned by Google would not be accepted as authentic.

Browsers that don't support HPKP in the same way, including Apple Safari and Microsoft Internet Explorer, might have been potentially tricked by the fraudulent certificates, however.


Source

Rather pertinent, methinks.

Return to “crypto, VPN & security news”

Who is online

Users browsing this forum: No registered users and 7 guests

Login