Bad guys grabbed a key to Google

The Google homepage is seen on a large screen.

If I say "there's a forged Google certificate loose in the world," you probably wouldn't think much of it. How about this: bad guys have a new way in to hack your Gmail, your Google+, Documents and anything Google. Yeah, that's a little more eye-opening.

Hackers apparently broke into the network of DigiNotar, a Dutch company that provides verification certificates for websites. The hackers were then able to create fake Google certificates that allowed them to make what are called "man-in-the-middle attacks," where the hackers slip in between you and the website you're trying to reach.

Why? Chester Wisniewski of the security firm Sophos tells us, "In this case, the reason you'd make a fake one would be to intercept communications to see what (people are) saying privately like in their Gmail or their instant messaging. The certificate that was discovered was discovered by a gentleman in Iran, so it could be used by the government who wants to spy on people's activities, or it could be used by people who want to commit ID theft or recover secret documents from your Google Docs repository."

It's essentially like someone broke into a locksmith's shop and made a bunch of keys to Google.

This fake Google certificate is worrisome, but for people like Chris Soghoian, it's not especially surprising. He's a privacy and security researcher and graduate fellow at The Center for Applied Cybersecurity Research at Indiana University. He says, "The certificate system is hopelessly broken. We have far too many companies who are in a position to create these certificates. And unfortunately, we have a situation where we're vulnerable to essentially the weakest link. If one certificate authority has bad security, then they can issue sites for Gmail or Yahoo or Bank of America and consumers can and will have their communications hijacked as a result."

As for what you can do about it, Soghoian says to make sure you're always running the latest update of your browser. Generally if the browser companies know about a problem like this, they can stop it with an update, but you have to do your part.

Also in this program, HP killed its TouchPad because no one was buying it. Then after they killed it, everyone started buying it. So now they're bringing it back for one more run. Then they plan to kill it again. Presumably to drive up demand. Before bringing it back. And then killing it.

About the author

John Moe is the host of Marketplace Tech Report, where he provides an insightful overview of the latest tech news.

Comments

I agree to American Public Media's Terms and Conditions.
With Generous Support From...