- 浏览: 141255 次
- 性别:
- 来自: 南宁
文章分类
- 全部博客 (137)
- J2SE API基础 (19)
- JAVA Structure/Algorithm (1)
- 设计模式及UML(pd/rose) (11)
- SSH (32)
- JPA/EJB/JSF (0)
- Jsp/Servlet (1)
- XML (0)
- DWR/Dojo/JQuery(Ajax) (1)
- Js/css/HTML (3)
- Java报表开发 (0)
- 网络协议及认证加密算法 (2)
- Java多线程网络编程 (1)
- Lucence (0)
- Oracle Developer (5)
- Oracle DBA (3)
- mysql/SQLServer/DB2 (5)
- Weblogic配置/调试 (0)
- Tomcat/JBoss/Websphere (10)
- Linux/Unix操作部署及shell编程 (9)
- C/C++编程 (4)
- 系统分析 (0)
- 项目管理(CVS&风险控制) (0)
- JUnit单元和J2EE集成测试 (2)
- 软设/招聘 (6)
- IT English (8)
- Mathematics/Data Mining (1)
- Android开发爱好 (1)
- Flash制作爱好 (0)
- Professional wisdom (4)
- 序言 (1)
- 聊天记录 (0)
- 理想 (3)
- 承诺 (0)
- oifuslfjsldkj_chatrecord (1)
最新评论
-
blues1021:
dafeiwudi 写道什么叫外频和陪频啊?一般电脑都显示主频 ...
计算机组成原理和结构-时钟周期、机器周期、总线周期、指令周期含义和关系 -
dafeiwudi:
什么叫外频和陪频啊?一般电脑都显示主频,它不表示运算速递,我们 ...
计算机组成原理和结构-时钟周期、机器周期、总线周期、指令周期含义和关系
A Dutch company appears to have issued a digital certificate for Google.com to someone other than Google, who may be using it to try to re-direct traffic of users based in Iran.
Yesterday, someone reported on a Google support site that when attempting to log in to Gmail the browser issued a warning for the digital certificate used as proof that the site is legitimate, according to this thread on a Google support forum site.
"Today, when I tried to login to my Gmail account I saw a certificate warning in Chrome," someone using the screen name "alibo" wrote. "I think my ISP or my government did this attack (because I live in Iran and you may hear something about the story of Comodo hacker!)" Alibo then posted a screenshot and the text of the certificate. The screenshot page was not accessible.
In this case the browser of the person reporting the problem warned that there was a problem with the digital certificate. However, it's unclear what triggered the warning and other browsers may not. In that event, a user could end up on a site that purports to be google.com but isn't.
CNET verified that the digital certificate is fraudulent. This Pastebin post details how to verify that a certificate is real and notes that it was issued in July. More information on how to mitigate the risk from the DigiNotar certificate is provided on this Facebook page from Ryan Hurst, manager of advertising security engineering at Microsoft.
A Google spokesman provided CNET with this statement: "A Chrome security feature warned the user of the invalid certificate and blocked them from visiting the attacker's site. We're pleased that the security measures in Chrome protected the user and brought this attack to the public's attention. While we investigate, we plan to block any sites whose certificates were signed by DigiNotar."
Mozilla said in a blog post that it was "Because the extent of the mis-issuance is not clear, we are releasing new versions of Firefox ... shortly that will revoke trust in the DigiNotar root and protect users from this attack. We encourage all users to keep their software up-to-date by regularly applying security updates. Users can also manually disable the DigiNotar root through the Firefox preferences."
The certificate was issued by DigiNotar, based in the Netherlands. Representatives from the company did not immediately respond to an e-mail seeking comment today and an automated message said the offices were closed for the night and offered no voice-mail option. A phone call and e-mail to Vasco Data Security, parent company of DigiNotar, were not immediately returned.
The situation is similar to one that happened in March in which spoofed certificates were found involving Google, Yahoo, Microsoft, and other major sites and they used Internet Protocol addresses in Iran. In that case, the fraudulent digital certificates were acquired through reseller partners of certificate authority Comodo and a 21-year-old Iranian patriot took credit for the attack, saying he was protesting U.S. foreign policy.
Moxie Marlinspike, chief technology officer of mobile security firm Whisper Systems and an expert on Internet authentication infrastructure, warned against jumping to conclusions about who is behind the attack.
"Clearly something is amiss. There's a rogue cert for all of Google services in the wild," he told CNET. "Of course many people are quick to claim that the state of Iran is responsible for all this but I think it's probably too soon to draw that conclusion. There doesn't seem to be any specific evidence."
These situations happen all the time, and rather than point fingers, the industry should fix the underlying problem, he said. In the meantime, individual Web surfers can protect themselves by using a Firefox plug-in Marlinspike developed called Convergence . "My hope is that this will be integrated into Web browsers themselves" in the future, he said.
These attacks illustrate a fundamental weakness with the current Web site authentication system in which third parties issue certificates that prove that a Web site is legitimate when making an "https://" connection. The list of certificate issuers has ballooned over the years to approximately 650 organizations, which may not always follow the strictest security procedures. And each one has a copy of the Web's master keys. There is no automated process to revoke fraudulent certificates, nor is there a public list of certificates that companies like Comodo have issued, or even which of its resellers or partners have been given a duplicate set of the master keys. And there are no mechanisms to prevent fraudulent certificates for Yahoo Mail or Gmail from being issued by compromised companies, or repressive regimes bent on surveillance.
Today's system gives browser makers tremendous responsibility. Any list of so-called certificate authorities they include will be trusted by billions of Web browsers around the world, unless users take the time to change the settings.
"I expect this type of attack to become somewhat commonplace in time," said Roel Schouwenberg, senior researcher at Kaspersky Lab. "And in this case we may be looking at a double whammy - not only does SSL suffer yet another blow, we may also be looking at a serious compromise within Vasco. The latter could have a very significant impact."
Update at 3:36 p.m. PT with Mozilla comment and mitigation information from Microsoft representative 3:27 p.m. PT with comment from Google, Marlinspike and Schouwenberg and 1:45 p.m. PT : Added details about the browser warning, and about CNET attempts to reach Vasco Data Security. and
CNET's Declan McCullagh contributed to this report.
发表评论
-
Linux Foundation Releases Specification to Ease Licensing Headaches
2011-08-29 13:37 740qualify取得资格,使胜任 quality品质,特性 ... -
游泳英文词汇-工厂模式游泳小程序
2011-08-10 01:55 1235prelim预备,预赛 seed种子,选出选手 lane小 ... -
Repositioning Java.net in Dev Ecosystem at Meruvian/Indonesia
2011-08-10 01:54 624institution:??nst??tu??n,惯例,习 ... -
Struts1中的<form-bean>和<action-mapping>属性
2011-08-10 01:54 11521.<form-bean> Con ... -
medium vote theory
2011-05-29 13:49 761medium vote theory中间立场理论, stra ... -
home agent and foreign agent
2011-04-11 00:21 764词汇: mechanism 机械 构造 maint ... -
words about Apache struts
2011-04-16 01:00 627buzzword 流行词 complaint 抱怨 com ...
相关推荐
《Catch the Black Sheep: Unified Shilling Attack Detection based on Fraudulent Action Propagation》是一篇探讨如何有效检测电子商务系统中欺诈性用户评论(即刷单攻击)的研究论文。文章介绍了一种新的统一...
ccording to the Internet research firm comScore, goods and services worthmorethan$17billionweresoldviatheInternetinthefirstquar- ter of 2002. It has been our experience that wherever money goes, crime...
On the other hand, fraudulent projects initiated on crowdfunding platforms with high return rates to attract investments could potentially violate the crime of illegally absorbing public deposits. ...
检测欺诈性信用卡交易 训练了隔离林异常检测算法,该算法可在预测测试集上的欺诈性交易时提供96.5%的准确性。 该数据集是一个包含284,807个事务的偏斜数据集,其中只有492个事务是易处理的(0.172%)。...
Data Mining with R: Learning with Case Studies, Second Edition uses practical examples to illustrate the power of R and data mining. Providing an extensive update to the best-selling first edition, ...
该数据集收集了1998年至2007年之间的2500多个“尼日利亚”欺诈信。 fradulent_emails.txt
点 and loopholes in the law, allowing them to engage in fraudulent activities for illegal profits. On the other hand, the general public's lack of awareness about food safety exacerbates the danger, ...
Over the years, there have been many successful applications of machine learning, ranging from data-mining programs that learn to detect fraudulent credit card transactions to information-filtering ...
The Licensee especially undertakes to keep secret software and documentation and not to disclose them to any third party, neither as a whole nor in part, or pass them to any third party, unless he is...
Outliers arise due to mechanical faults, changes in system behaviour, fraudulent behaviour, human error, instrument error or simply through natural deviations in populations. Their detection can ...
the directors of Sanbase Corporation Limited confirm, after reasonable inquiry, that the information presented in the annual report is accurate and complete, free from misleading or fraudulent ...
Touch-less based acquired images are free from latent fingerprint issues that can lead to fraudulent use. Hence, the security and privacy protection of fingerprint biometric templates is consolidated...
Conversely, critics argue that it lacks personal touch and may lead to fraudulent activities.” 5. **危害分析**(弊):进一步深入探讨现象的负面影响。以网上购物为例,可提及网络诈骗、个人信息泄露等...
Thirdly, it can be used for fraud detection, helping financial institutions to identify and prevent fraudulent activities. In conclusion, the proposed credit evaluation model based on natural ...
机器学习是我们日常接触到的许多产品的长期发展动力,从类似于 Apple 的 Siri 和 Google 的智能助手,到类似于亚马逊的建议你买新产品的推荐引擎再到 Google 和 Facebook 使用的广告排名系统。最近,机器学习又由于...
在幕后,它执行的检查要比欧洲刑警组织建议的11个手动步骤多得多:https://www.europol.europa.eu/activities-services/public-awareness-and-prevention-guides/how-to-detect-fraudulent -sites-selling-fakes此...
Is Fraudulent:交易是否欺诈的二进制指标(1 表示欺诈,0 表示合法)。 账户期限天数:交易时客户账户的期限(以天为单位)。 交易时间:交易发生的时间。 目的 该数据集旨在用于开发和测试电子商务交易中欺诈检测...
1.6.1 Basic communications on the Internet. . . . . . . . . . . . . . . . 32 1.6.2 Computer security and computer forensics . . . . . . . . . . . . . 35 v 1.7 Overview of the following chapters. . . ....