Tag Archive for: Certificate

Dell installs self-signed root certificate on laptops, endangering users’ privacy

/in

Dell laptops are coming preloaded with a self-signed root digital certificate that lets attackers spy on traffic to any secure website.

The reports first surfaced on Reddit and were soon confirmed by other users and security experts on Twitter and blogs. The root certificate, which has the power of a certificate authority on the laptops it’s installed on, comes bundled with its corresponding private key, making the situation worse.

With the private key, which is now available online, anyone can generate a certificate for any website that will be trusted by browsers such as Internet Explorer and Google Chrome that use the Windows certificate store on affected laptops. Security experts have already generated proof-of-concept certificates for *.google.com and bankofamerica.com.

To read this article in full or to leave a comment, please click here

Network World Security

Dell computers shipping with potentially dangerous root certificate authority

/in

At least some Dell laptops are shipping with a trusted root certificate authority pre-installed, something that those who discovered the CA are comparing to the Superfish adware installed on Lenovo machines that left them open to man-in the-middle attacks.

Called eDellRoot, the trusted root CA comes as part of the standard software load on new Dell machines. A Reddit contributor who uses rotocowboy for a screen name says the implications could be dire. “For those that are unfamiliar with how this works,” he writes, “a network attacker could use this CA to sign his or her own fake certificates for use on real websites and an affected Dell user would be none the wiser unless they happened to check the website’s certificate chain. This CA could also be used to sign code to run on people’s machines, but I haven’t tested this out yet.”

To read this article in full or to leave a comment, please click here

Network World Tim Greene

Encryption project issues first free SSL/TLS certificate

/in

A project that aims to increase the use of encryption by giving away free SSL/TLS certificates has issued its first one, marking the start of its beta program.

The project, called Let’s Encrypt, is run by the Internet Security Research Group (ISRG) and backed by Mozilla, the Electronic Frontier Foundation (EFF), Cisco and Akamai, among others.

Let’s Encrypt plans to distribute free SSL/TLS (Secure Socket Layer/Transport Layer Security) certificates, which encrypt data passed between a website and users. The use of SSL/TLS is signified in most browsers by “https” and a padlock appearing in the URL bar.

To read this article in full or to leave a comment, please click here

Network World Security

Google let root certificate for Gmail expire, causing e-mail hiccups

/in

On Saturday morning, one of Google’s root certificates expired, causing millions of users’ mail clients to suddenly protest. The certificate for Google’s intermediate certificate authority (Google Internet Authority G2) was used to issue Gmail’s certificate for SMTP, and the expiration at 11:55am EDT caused many e-mail clients to stop receiving Gmail messages. While the problem affected most Gmail users using PC and mobile mail clients, Web access to Gmail was unaffected.

Google reported on the company’s Apps status page that engineers had been alerted to “issues with Gmail” at 1:21pm EDT on Saturday. In a later status update, a company spokesperson noted that “affected users are able to access Gmail but are seeing error messages and/or other unexpected behavior” and that “smtp.gmail.com is displaying an invalid certificate.”

The root certificate for Google’s certificate authority was issued by GeoTrust. By 4pm EDT Saturday, the certificate had been updated and is now valid until December 2016.

Read on Ars Technica | Comments


Ars Technica » Technology Lab