Even the mighty fall to identity theft once in a while

By Nathan Larson
Published 31 Aug 2011

What, even Google? Did it drop its wallet in the parking lot? Well, not exactly. And this attack wasn’t at all in its control. The bad guy broke into a certificate authority’s server and wrote himself a new certificate for *.google.com. The asterisk means if your browser goes to an evil web site using this certificate, looking for Gmail, Google+, or Google Docs (or any of the other services Google hosts), your browser will accept the evil site as the authentic Google.

This happened Tuesday, and thankfully the major browsers already have updates available (there’s also a certificate revocation). To be sure though, following are directions on how to check for the offending certificate and remove it. We’ll assume you’re using Windows with Firefox, Chrome, Safari, or (erk!) Internet Explorer. Linux users should be able to easily adapt these instructions. Mac users, just click the Update My Mac button and you’ll be fine.

Update: As of Sept. 9th, Mac users have the DigiNotar certs deleted from their updated systems — however, iPhone/iPad/iTouch/iEtc. users still need to watch out. [1]

There’s some politics behind this story, but that’s not the focus of this post. The concern here is getting you browsing safely.

Update the browser
Firefox

Open Firefox, select the Firefox menu —> Help —> About Firefox. You should see the window read “Downloading update” and a download size count. Click the Apply Update button when it appears. After Firefox restarts, you should see a page that reads, “Your Firefox is up to date.” Doublecheck that the About Firefox windows shows version 6.0.1.

If that didn’t happen, browse to www.mozilla.org and click the Get Firefox button. Save the installer, and when it’s done downloading double-click Firefox Setup 6.0.1.exe (the version current as of today).

Chrome

Since this is Google’s baby, you might expect that the company is on top of the problem — and you’d be right. According to a Google blog post, “Google Chrome users were protected from this attack because Chrome was able to detect the fraudulent certificate.” [2] Chrome updates itself automatically.

Safari

Browse to http://www.apple.com/safari/download and click the Download button. Save the installer, and when it’s done downloading double-click SafariSetup.exe to install version 5.1.

Internet Explorer

Configure Windows to automatically check for and download/install updates, and you’ll be fine. Start —> Control Panel —> System and Security —> Automatic Updates —> Check for Updates.

Confirm that the bad certificate is gone
Firefox

In Firefox, select the Firefox menu —> Options —> Options, then the Advanced button at the top of the new window, then the Security panel. (They really don’t want users to find this.) Now click the View Certificates button. Scroll down the alphabetized list until you see the place where “DigiNotar” belongs. If it’s not there, you’re good. If it still exists, select “DigiNotar Root CA” and click the Delete or Distrust button.

Fig 1. Deleting a certificate in Firefox.

Chrome, Safari, and Internet Explorer

These three use the certificate list that Windows maintains. The certificate did not appear in this writer’s install of Windows 7, but it’s good to check in any case. The list is accessible as follows:

Chrome: Select the Wrench icon —> Options —> Under the hood —> HTTPS/SSL —> Manage certificates, then the Trusted Root Certificate Authorities tab.

Safari: Gear icon —> Preferences —> Advanced panel. Click the Proxies: Change settings button, then the Content tab in the new window. Click the Certificates button, then the Trusted Root Certificate Authorities tab.

Internet Explorer: Select Tools —> Internet Options, then the Content tab in the new window. Click the Certificates button, then the Trusted Root Certificate Authorities tab.

Glossary

Certificate — an encrypted ID for a web site or server. This is the web site’s public key.

Certificate Authority (CA) — a company with supreme power to sell and revoke certificates.

Certificate revocation — an “anticertificate” a CA creates to remove a certificate from use.

Public key — the publicly available half of an asymmetric key pair. Check back here later for a good discussion of Public Key Cryptography.

References

[1] http://www.theregister.co.uk/2011/09/09/apple_purges_diginotar_certificates

[2] http://googleonlinesecurity.blogspot.com/2011/08/update-on-attempted-man-in-middle.html