Iran forged the wrong SSL certificateThere has been a lot of talk recently about how someone — whom everyone presumes is the Iranian government — obtained a fake SSL certificate for *.google.com from DigiNotar; this is the second such case this year, as in March someone (again, presumed to be the Iranian government) obtained fraudulent certificates from Comodo for Firefox extensions, Google, Gmail, Skype, Windows Live, and Yahoo. (Interestingly, while everybody is removing DigiNotar's certificate authority key from their trusted lists, Comodo — which has issued far more certificates — is still widely trusted. I wonder if they got a free ride because nobody wants to ship "the web browser which doesn't work with my bank".)
If you want to be really evil, however, *.google.com is the wrong SSL certificate to forge. The right one? ssl.google-analytics.com.
And if you trust Google and you're not worried about Iran's demonstrated ability to obtain forged SSL certificates, ask yourself this: Do you trust the Chinese Ministry of Information Industry? Because your web browser probably does.
blog comments powered by Disqus