Gmail Attack Highlights Web Insecurity
A man-in-the-middle attack that relied on an unauthorized Google SSL certificate has revived concern over whether any Web communication is really secure.
"Alibo" posted a copy of the certificate to PasteBin, and security researcher Moxie Marlinspike confirmed via Twitter that the certificate has a valid signature. That means that the person or entity using it could use it to intercept Gmail traffic via a man-in-the-middle (MITM) attack.
Google acknowledged the reported MITM attack and noted that the certificate authority (CA) issuing the certificate, DigiNotar, should not be issuing certificates for Google. The company also called attention to a Chrome security feature that blocked the attack.
"We're pleased that the security measures in Chrome protected the user and brought this attack to the public's attention," a spokesperson said in an email. "While we investigate, we plan to block any sites whose certificates were signed by DigiNotar."
To continue reading, here is the complete posting.