The discovery of several fake SSL certificates has put yet another nail in the coffin of internet security. But hack attacks are no longer shocking or terrifying because they are in the news every other day. Anonymous and Lulzsec have become celebrity names rather than groups to fear. This latest revelation, however, is a little concerning.
Security researchers have found a forged internet security certificate that is designed to allow hackers to spy on users’ private emails and communications. Even scarier is the fact that it is the Google sites that were targeted and it is the same type of security technology that protects online bank accounts.
The fraudulent certificate would have allowed hackers to launch fake versions of the Google sites that would appear genuine to users. These sites would then be used to harvest usernames and passwords for the genuine sites.
I know I trust my Google account undoubtedly; I am logged in on my phone, laptop and work computer and never really think to check the security protocols. It’s Google. They’re huge, there’s no chance people can steal my details from Google.
This time round the forged certificate may not have affected me at all, it was after all an Iranian who discovered the breach and it is thought to be part of the government in Tehrain’s attempt to monitor dissidents, but it shows that it can be done.
This ‘man in the middle’ attack undermines all confidence in SSL (Secure Sockets Layer) the security protocol used to authenticate all sorts of sensitive web traffic – not forgetting your online bank account.
This morning it was revealed that the Mozilla Firefox add-ons site was also affected by forged certificates, but Mozilla did not confirm whether hackers had used the forgeries to harvest any details.
It seems to be another damning example of why the current method of validating a websites authenticity is broken. And a wake-up call to the end users to be more cautious online.