Friday, March 25, 2011
TOR and EFF report major breach with https CA's, possibly linked to Iran
Electronic Frontier Foundation has a story this morning about how a HTTPS/TLS certifying authority (CA) got duped into issuing phony certificates recently, apparently by hackers in Iran (probably connected to its government), which EFF warns threatened an “internet-wide security meltdown”, in a story March 23 by Peter Eckersley here.
The TOR Project also has a blog entry story about this here.
EFF goes on to give some discussion of DNSSEC-PKI (link), and refers to questions about the underlying security of the domain name system, which erupted in a major security crisis in the middle of 2008.
It’s still very much an open subject.
HTTPS is absolutely essential to surfing and entering any passwords or personal information in a wireless environment.
Curiously,this morning, on my Windows 7 Pro machine, I had trouble getting to EFF from Google Chrome, but it worked in Mozilla, and on a nearby XP machine in Chrome. There could be a subtle issue with https, Windows 7 and Chrome together in some circumstances.