2011-09-09

If updating your web browser is something that you typically put off, now is the time to break that habit. A recently-discovered attack by an Iranian hacker has thwarted the industry-standard approach to online security, causing browser makers and security firms to scramble to restore balance.



What is a web browser?

Not sure what a web browser is? Check out WhatBrowser.org, watch the video, then come back here.

Ready? Good.

Let me tell you a story…

Let’s say you’re visit a new place, and you have this really cool cab driver driving you around so that you can go site-seeing. This cab driver has agreed to be like a tour guide, taking you wherever you want to go so that you can explore all of the interesting (web)sites. This driver — let’s call him Mr. Firefox — takes you all sorts of places that you want to go. He always knows the best routes to take, and always makes sure you get there safely. As your cab driver, you trust that he will get you there safely.

Following me so far?

But there’s something you don’t know about Mr. Firefox: He’s retarded. Like, completely and utterly retarded. Like, little yellow school bus retarded. If you told him to drive into the lake, he would. He’s that stupid.

On the up-shot, Mr. Firefox knows that he’s retarded, so to deal with this he surrounds himself with a bunch of really good people that he knows he can trust. These people — let’s call them the Authorities — look out for him, and teach him which places are safe and which are not. This way, if you were to ask Mr. Firefox to drive into a lake, he would know that this is a bad idea and won’t do it (or will at least tell you how bad of an idea it is).

A dirty cop

Now, what if it was discovered that one of these Authorities was a dirty cop? This dirty cop has been taking bribes from Iranian terrorists to tell Mr. Firefox that it’s perfectly safe to drive you into a lake. Or that the bridge that was under construction is finally ready to drive across, when really it would collapse. Even though you don’t have a gun being waved in your face, you’re still in danger even though you can’t see it.

You trust your cab driver, who trusts the Authorities — one of which is a lying douchebag.

It really happened!

Well, this is what has happened to the Internet over the past few weeks. You trust your web browser, your web browser trusts the Certificate Authorities, and two of these Certificate Authorities were hacked by Iranian terrorists. These terrorists generated security certificates so that they could impersonate and eavesdrop on sites you know and love: Facebook, Twitter, Yahoo!, Google, Gmail, Yahoo Mail, Hotmail, Mozilla, and even the C.I.A. Over
250
511 sites in all are affected by this (and still counting).

To stay safe, browser makers (Mozilla, Microsoft, Google and Apple) have started issuing updates that revoke their trust for these hacked Certificate Authorities. As such, you need to make sure you’re running the very latest version of your web browser.

How do I stay safe?

The best way to stay safe is to update your browser to the very latest version. If you’re not sure what browser you’re running, check out WhatBrowser.org. It will tell you.

If you have a computer running Microsoft Windows and/or are running the Internet Explorer web browser, make sure you run Microsoft Update (formerly Windows Update) and install all of the available updates — specifically Security Advisory 2607712.

If you have a computer running Mac OS X and/or are running the Safari web browser, make sure you run Software Update and install all of the available updates — specifically Security Update 2011-005.

If you’re running the Mozilla Firefox web browser, make sure you update to the latest version (6.0.2 at the time of this writing).

If you’re running the Google Chrome web browser, you get automatic updates, so you probably don’t have a lot to worry about.

Where can I learn more?

Here are some links about what has happened. I’ll group them into two categories: less technical and more technical.

Less technical

http://www.bbc.co.uk/news/technology-12847072

http://news.cnet.com/8301-31921_3-20046340-281.html

https://www.readwriteweb.com/hack/2011/08/ssl-certificates-whats-left-to.php

http://www.wired.com/threatlevel/2011/03/comodo_hack/

http://feeds.arstechnica.com/~r/arstechnica/index/~3/3Vj5zxvMwGw/comodo-hacker-i-hacked-diginotar-too-other-cas-breached.ars

https://secure.wikimedia.org/wikipedia/en/wiki/DigiNotar#Issuance_of_fraudulent_certificates

https://secure.wikimedia.org/wikipedia/en/wiki/Comodo_Group#Breach_of_security

More technical

https://blog.mozilla.com/security/2011/08/29/fraudulent-google-com-certificate/

https://blog.mozilla.com/security/2011/09/02/diginotar-removal-follow-up/

http://googleonlinesecurity.blogspot.com/2011/08/update-on-attempted-man-in-middle.html

https://blogs.technet.com/b/msrc/archive/2011/08/29/microsoft-releases-security-advisory-2607712.aspx

https://blog.torproject.org/blog/detecting-certificate-authority-compromises-and-web-browser-collusion

http://www.f-secure.com/weblog/archives/00002128.html

http://pastebin.com/u/ComodoHacker

Update: Bankruptcy (2011-09-25)

DigiNotar has filed for bankruptcy:

This is unsurprising, since a report issued by security audit firm Fox-IT, who has been hired to investigate the now notorious DigiNotar breach, revealed that things were far worse than we were led to believe. [...]

All CA servers were members of one Windows domain and all accessible with one user/password combination. Moreover, the used password was simple and susceptible to brute-force attacks.

Show more