Late last week Dutch certificate authority DigiNotar was attacked by a hacker known as Comodohacker. The result? Over 500 fake Secure Sockets Layer (SSL) certificates were issued. The victims? Major companies around the world including Facebook, Twitter, Skype, Microsoft and Google. Even the United States’ CIA and Britain’s MI6 was hit. This one was big and more could be on the way.
What does all of this mean to you? SSL certificates are issued to prove a website is legit. This gives you the OK to browse safely. Fake security certificates can redirect you to spoof sites without you knowing anything is going on. Can you guess what is waiting for you there? That’s right, malware or phishing scams.
Many of these certificates are issued by third-party companies, and the number of providers has recently increased. Who’s to say that all of them are following security procedures as strictly as they should be. It seems everybody’s got keys to the web these days now. With that many out there it’s no wonder someone is able to make copies and do whatever they want with them.
Mozilla has since updated Firefox and Google has updated Chrome to remove this threat. Both updates disable the compromised DigiNotar Root certificate from the trusted list. The browsers should have downloaded these updates automatically, but if not check to be sure you’re running the latest version.
Microsoft is also in the process of moving all DigiNotar certificates to the Untrusted list as well. They advise everyone to use Internet Explorer’s Security Status bar (check the right side of the address bar) to verify sites you visit are safe and secure to browse.