Rogue Google certificate loose in the wild

John Moe Aug 30, 2011

Lock up your Googles! A forged certificate has been detected that can allow hackers to get into just about any Google account you can think of, including Gmail.

From the Telegraph:

The “man in the middle” attack also further undermines general confidence in the Secure Sockets Layer (SSL), a security protocol used to authenticate all kinds of sensitive internet traffic, including online banking. SSL certificates are meant to act as an independent third party to verify that communication between a website and a browser are secure.

The forgery appears to be based in Iran. This issue casts a light on the pretty weird and highly byzantine system of certifications and who is authorized to issue them. Short answer: dozens of places you wouldn’t expect, many are holdovers from the early days of the web. Since these certificates are what verify identity on the web, a lot of people think there need to be fewer issuing authorities that could be more easily managed.

We’re here to help you navigate this changed world and economy.

Our mission at Marketplace is to raise the economic intelligence of the country. It’s a tough task, but it’s never been more important.

In the past year, we’ve seen record unemployment, stimulus bills, and reddit users influencing the stock market. Marketplace helps you understand it all, will fact-based, approachable, and unbiased reporting.

Generous support from listeners and readers is what powers our nonprofit news—and your donation today will help provide this essential service. For just $5/month, you can sustain independent journalism that keeps you and thousands of others informed.