Posts Tagged ‘SSL’

No root for you! Google slams door on Symantec certs

Soup Nazi

Google being ‘alarmist’ claims Symantec

The four-month row between Google and Symantec over SSL certificate issuing has just gone nuclear, with the Chocolate Factory making good on its threats and beginning a blockade.

“Over the course of the coming weeks, Google will be moving to distrust the ‘Class 3 Public Primary CA’ root certificate operated by Symantec Corporation, across Chrome, Android, and Google products,” said Google software engineer Ryan Sleevi.

“Symantec has decided that this root will no longer comply with the CA/Browser Forum’s Baseline Requirements. As these requirements reflect industry best practice and are the foundation for publicly trusted certificates, the failure to comply with these represents an unacceptable risk to users of Google products.”

Sleevi said that Symantec had informed Google that the root certificate would be used for purposes other than for publicly trusted connections, but isn’t saying what else they might be used for. As a result, it’s on Google’s naughty list.

“Symantec has indicated that they do not believe their customers, who are the operators of secure websites, will be affected by this removal,” Sleevi said. “Further, Symantec has also indicated that, to the best of their knowledge, they do not believe customers who attempt to access sites secured with Symantec certificates will be affected by this.”

Read More by Iain Thomson

Apple promises SSL snooping fix for Mac OS X 10.9 users ‘very soon’

Don’t trust that dial server certificate

Apple has admitted a bug in Mac OS X 10.9.1 could allow hackers to intercept and decrypt SSL-encrypted connections – and has vowed to release a fix “very soon.”

Sensitive information, such as bank card numbers and account passwords, sent over HTTPS and other SSL-protected channels from vulnerable Mac computers could easily end up in the hands of snoopers as a result of this security hole.

The Cupertino giant issued updates for versions 7 and 6 of its mobile operating system iOS on Friday to address the same flaw in iPhones, iPads and iPods.

But it quickly became apparent that the vulnerability also exists in desktop and laptop computers running Mac OS X Mavericks, the latest public release of Apple’s desktop OS.

The security hole was created by a trivial programming cock-up, which causes Apple’s SSL/TLS library to skip over vital verification checks of a server’s authenticity when establishing a connection.

A malicious router, Wi-Fi access point or other man-in-the-middle system could exploit this to silently masquerade as a legit website or online service, and thus intercept, read and tamper with the private contents of a victim’s supposedly secure connection.

Read More by Chris Williams

Social Media Links
Latest Tweets
Archives

Social Widgets powered by AB-WebLog.com.