Rogue Google certificate loose in the wild

Lock up your Googles! A forged certificate has been detected that can allow hackers to get into just about any Google account you can think of, including Gmail.

From the Telegraph:

The "man in the middle" attack also further undermines general confidence in the Secure Sockets Layer (SSL), a security protocol used to authenticate all kinds of sensitive internet traffic, including online banking. SSL certificates are meant to act as an independent third party to verify that communication between a website and a browser are secure.

The forgery appears to be based in Iran. This issue casts a light on the pretty weird and highly byzantine system of certifications and who is authorized to issue them. Short answer: dozens of places you wouldn't expect, many are holdovers from the early days of the web. Since these certificates are what verify identity on the web, a lot of people think there need to be fewer issuing authorities that could be more easily managed.

About the author

John Moe is the host of Marketplace Tech Report, where he provides an insightful overview of the latest tech news.


I agree to American Public Media's Terms and Conditions.
With Generous Support From...