Dan on Security
Register | Login
Google warns of unauthorized TLS certificates trusted by almost all OSes | Ars Technica

On Friday, March 20th, we became aware of unauthorized digital certificates for several Google domains. The certificates were issued by an intermediate certificate authority apparently held by a company called MCS Holdings. This intermediate certificate was issued by CNNIC.

CNNIC is included in all major root stores and so the misissued certificates would be trusted by almost all browsers and operating systems. Chrome on Windows, OS X, and Linux, ChromeOS, and Firefox 33 and greater would have rejected these certificates because of public-key pinning, although misissued certificates for other sites likely exist.
Reminder to go through all trusted Root CAs in Keychain Access / Certificate Manager tools and delete/untrust all "shady" roots (CNNIC, Turktrust, etc.)

Tags: ssl tls certificates
More from: arstechnica.com

show/hide source |


No comments found :-( To post a comment, please log in