Web

Forged security certificate targets Gmail users

Gmail-SSL-DigiNotar

A fraudulent Google security certificate has found its way onto the web, making it possible for hackers to access the accounts of Gmail users, reports CNet. The certificate is reportedly being used to target Gmail users located in Iran.

The Secure Sockets Layer (SSL) certificate was issued by Dutch security authority DigiNotar to unidentified attackers on July 10. The attackers apparently tricked DigiNotar into thinking the request for the SSL certificate was coming from Google, which prompted the security authority to release the certificate.

Armed with the SSL certificate, the attackers have been able to set up fake versions of Google websites — Gmail appears to have been the focus — which appear genuine to both users and users’ web browsers, which can detect fake websites that do not have the proper SSL certificate.

Known as a “man in the middle” (MITM) attack, this technique allowed the hackers to fool users into entering their real Gmail credentials into the fake site, giving them access to those users’ email accounts.

A Gmail user in Iran, who goes by the name “alibo” first posted the problem to the Google users forum.

“Today, when I trid to login to my Gmail account I saw a certificate warning in Chrome. I took a screenshot and I saved certificate to a file.” wrote alibo. “When I used a vpn I didn’t see any warning! I think my ISP or my government did this attack (because I live in Iran and you may hear something about the story of Comodo hacker!)”

The Comodo alibo refers to was a similar case, which took place back in March. Certificate authority Comodo issued a variety of fraudulent digital certificates for sites owned by Google, Yahoo, Microsoft and others. A 21-year-old Iranian claimed to have been responsible for the attack, saying his actions were in protest of US foreign policy.

In this most recent instance, Google has so far only touted the security prowess of its Chrome browser.

“A Chrome security feature warned the user of the invalid certificate and blocked them from visiting the attacker’s site. We’re pleased that the security measures in Chrome protected the user and brought this attack to the public’s attention,” a Google spokesperson told CNet. “While we investigate, we plan to block any sites whose certificates were signed by DigiNotar.”

Mozilla also responded to the attack, saying on its blog, “Because the extent of the mis-issuance is not clear, we are releasing new versions of Firefox… shortly that will revoke trust in the DigiNotar root and protect users from this attack. We encourage all users to keep their software up-to-date by regularly applying security updates.”

DigiNotar has so far remained silent on its mistake.

UPDATE: Google’s Information Security Manager, Heather Adkins, has released an official statement on the Google online security blog. It reads:

Today we received reports of attempted SSL man-in-the-middle (MITM) attacks against Google users, whereby someone tried to get between them and encrypted Google services. The people affected were primarily located in Iran. The attacker used a fraudulent SSL certificate issued by DigiNotar, a root certificate authority that should not issue certificates for Google (and has since revoked it).

Google Chrome users were protected from this attack because Chrome was able to detect the fraudulent certificate.

To further protect the safety and privacy of our users, we plan to disable the DigiNotar certificate authority in Chrome while investigations continue. Mozilla also moved quickly to protect its users. This means that Chrome and Firefox users will receive alerts if they try to visit websites that use DigiNotar certificates.

To help deter unwanted surveillance, we recommend that users, especially those in Iran, keep their web browsers and operating systems up to date and pay attention to web browser security warnings.

[Image via joingate/Shutterstock]

Mobile

Sign In with Apple sticks it to Google and Facebook, for the good of everyone

Apple wants you to use its new Sign In with Apple service, which promises to free you from password hell, without selling your soul to the advertising devil. Is it worth using when it launches this year?
Photography

Looking for free public domain images? Here are the best websites to find them

Wouldn't it be wonderful to freely download and use an image from the web without the looming fear of prosecution? Of course! That's why we've put together a list of the best places to download free public domain images.
Movies & TV

Save a few bucks with the best free feature-length movies on YouTube

Bank account emptier than you thought? Check out our curated list of the best full-length movies on YouTube to find flicks that are free, legally uploaded, and actually worth watching.
Web

NSA warns about Windows exploit, ignores its own role in creation of malware

In a rare occurrence, the National Security Agency has published a statement urging people to update their Windows systems to protect against the BlueKeep vulnerability, a recently-detailed wormable exploit affecting Windows 7 and earlier.
Web

Maker Media, the company behind MAKE magazine and Maker Faire events, shuts down

Sad news for DIY enthusiasts: Maker Media, the company which runs the Maker Faire events and which produces the magazine MAKE, is shutting down. The company has laid off all its staff and is ceasing operations.
Computing

Paid browsers are the future, and Firefox might offer a better deal than Chrome

Just like Google, Mozilla is planning on offering premium web-browsing services. Unlike Google, however, it seems like Mozilla might have a better strategy for encouraging users to subscribe to its future premium plans.
Computing

Opera GX is a browser for gamers, but the actual gaming is still to come

Every company seems to have a product line or two aimed squarely at gamers, so why not browsers too? Opera has a new branch of its main browser called Opera GX and it's designed specifically with gamers in mind.
Mobile

Amazon Prime Day 2019 will likely be on July 15, according to leaked email

It looks like we now have an idea of when Amazon Prime Day 2019 will be, thanks to a leaked email that was sent out to promote a vacuum cleaner deal for Prime Day. According to the email, the massive shopping event will take place on July…
Social Media

Here's how to unblock someone on Facebook when you've had a change of heart

Maybe you were a little too hasty blocking that one person on Facebook ... or maybe you just want to do a little spying to see what they're up to. Either way, you can fix the situation easily. Here's how to unblock someone on Facebook.
Music

The best free music download sites that are totally legal

Finding music that is both free and legal to download can be difficult. We've hand-picked a selection of the best free music download sites for you to legally download your next favorite album.
Computing

Dropbox’s all-new desktop app wants to be your one and only workspace

Dropbox has unveiled its most significant update yet as it continues to move away from its original core service as a place to store files in the cloud, toward a virtual workspace solution that offers all services in-app.
Social Media

Here's how to link your Instagram, Facebook accounts for social syncing

Instagram and Facebook go hand in hand. Here's how you can make the most of the superior integration offered by the two social media behemoths, which should help your pics gain more exposure in the long run.
Outdoors

For $5,000, Airbnb will take you around the world in 80 days. Airfare included

Airbnb's new Adventures allow travelers can book a mix of accommodations, food, and experiences in what Airbnb calls "bucket list" worthy trips, including a round-the-world trip for just $5,000
Home Theater

Netflix can drain your data in a hurry. Here's how to turn it down a notch

Ever wondered how much data you need to stream a show (or movie) on Netflix? You aren't alone. The answer could be anywhere from 1GB per hour to 7GB per hour, but there's more to it than that. Here's how to control your Netflix data.