|
Authored by: JimDiGriz on Sunday, August 19 2012 @ 11:24 PM EDT |
"I believe there is some king of subtle attack happening
with fake certs in the same vein as Stuxnet."
Technically the certificates used by Stuxnet weren't fake, just stolen.
JdG[ Reply to This | Parent | # ]
|
|
Authored by: Anonymous on Monday, August 20 2012 @ 02:57 AM EDT |
A couple or three years ago I was getting SSL warnings on a banking site for
some other site. At one point I was seriously wondering if the banking website
had been compromised.
Any number of phone calls and a few emails later it became obvious to me what
had happened. I use a separate account for on-line banking. In response to one
of the CA compromises (I have forgotten details) I had disabled one or more CAs
for that account. The CAs needed for my bank were still enabled. But although
they denied it at first, it turns out the bank had links in their web page to
one of doubleclicks cousins (in a loose sense). I didn't recognize the name
(which I have now forgotten) of the third party site when it threw the SSL
error. It turned out that this third party website was using a CA which I had
disabled, hence the error.
I was none to happy about a trusted site (my bank) pulling in 3rd party websites
after I had authenticated but it was easy enough to use Privoxy to block them
from doing so, so I didn't worry about it.
[ Reply to This | Parent | # ]
|
|
|
|
|