certificate abuse

(get it in RSS or Atom)

Coinbase wallet app in SSL/TLS SNAFU

Bitcoin digital wallet

The popular Bitcoin wallet Coinbase has a security flaw in its Android apps which could allow an attacker to steal authentication codes and access users' accounts, according to a security researcher.

Coinbase is far from alone in leaving its wallet app users vulnerable, so what should you do to stay safe when using mobile banking apps?

Turkish Certificate Authority screwup leads to attempted Google impersonation


Another Certificate Authority has been caught out having issued certificates that were being used to impersonate Google. Does the SSL padlock not mean we are safe anymore?

Flame malware used man-in-the-middle attack against Windows Update


Microsoft has released an emergency update for Windows, revoking digital certificates that could be used to impersonate the Windows Update security service. The Flame malware exploited flaws related to this vulnerability realizing concerns that Windows Update might be compromised to distribute malware.

Another certificate authority issues dangerous certficates


Mozilla has revoked the signing privileges of another certificate authority for issuing weak and incomplete SSL/TLS certificates.

End of the road for DigiNotar as bankruptcy declared


DigiNotar, the Dutch certificate authority which hackers compromised and used to generate hundreds of bogus web security certificates, has filed for bankruptcy.

GlobalSign stops issuing SSL certificates in response to Iranian hacker


Digital certificate authority GlobalSIgn, the fifth largest issuer of SSL certificates, ceased signing new certificates today after accusations by an Iranian hacker that they are compromised.

Microsoft revokes DigiNotar certificates from Windows, Mac users still vulnerable


Microsoft has permanently revoked all five certificates belonging to DigiNotar for Windows users. In addition to Windows 7 and Vista the new release also provides protection for users of Windows XP. Users of Windows should check for updates and apply this patch as soon as possible.

Operation Black Tulip: Fox-IT's report on the DigiNotar breach


A preliminary report was released today by Fox-IT, the security team investigating the attack against certificate authority DigiNotar. Many interesting details are included about the hack, including more indications that it primarily affected Iranian users.

SSL certificate debacle includes CIA, MI6, Mossad and Tor


Over 500 falsely signed certificates have now been identified and browser makers are permanently removing DigiNotar as a trusted certificate authority. The targeted organizations are far reaching including the CIA and MI6.

Falsely issued Google SSL certificate in the wild for more than 5 weeks

Close-up of a lock icon on a computer keyboard button.  Blue-toned.

A rogue certificate was found in the wild more than a month after it was issued allowing someone to masquerade as SSL enabled Google services. Where did this certificate come from, who was using it and what can you do to protect yourself?

No certificate for you! Verisign revokes cert from malware fiends

Image (1) crlpdfa-350.png for post 3503

I spent some time last week looking into the digital signature involved with the recent zero day malware targeting Adobe Reader. Similar to the Stuxnet situation, Verisign has revoked the signing certificate used to sign the payload associated with this Read more…