Interesting article about the deprecation of SHA1 certificates due to security reasons, the comparison to MD5 and why is it taking so long for browsers and websites to stop supporting SHA1.
Facebook’s Chief Security Officer reported between 3% to 7% of browsers don’t support SHA-256.In a country breakdown, it's not surprising to see these numbers come from the developing world (interesting to see China with more than 6% of users not supporting SHA256, probably due to their reliance on XP).
Certificate on Dell Laptops Breaks Encrypted HTTPS Connections
Certificate on Dell Laptops Breaks Encrypted HTTPS Connections
(blog.hboeck.de)
Similarly as to how Lenovo was found earlier this year to include the malicious Superfish root certificate on their new laptops to "enhance" users' experience by providing targeted ads, Dell has now been found to include their very own root cert called eDellRoot.
The certificate, which is installed in the system's certificate store under the name "eDellRoot", gets installed by a software called Dell Foundation Services. This software is still available on Dell's webpage. According to the somewhat unclear description from Dell it is used to provide "foundational services facilitating customer serviceability, messaging and support functions".While Dell claims that this was provided to provide user support and there is no evidence it is being used to inject ads like in the case of Superfish, this is still a huge security issue as anybody with access to the private key (which has already been extracted and posted online) can now perform MITM attacks on any user with the eDellRoot CA installed.
Google warns of unauthorized TLS certificates trusted by almost all OSes | Ars Technica
Google warns of unauthorized TLS certificates trusted by almost all OSes | Ars Technica
(arstechnica.com)
On Friday, March 20th, we became aware of unauthorized digital certificates for several Google domains. The certificates were issued by an intermediate certificate authority apparently held by a company called MCS Holdings. This intermediate certificate was issued by CNNIC.Reminder to go through all trusted Root CAs in Keychain Access / Certificate Manager tools and delete/untrust all "shady" roots (CNNIC, Turktrust, etc.)
CNNIC is included in all major root stores and so the misissued certificates would be trusted by almost all browsers and operating systems. Chrome on Windows, OS X, and Linux, ChromeOS, and Firefox 33 and greater would have rejected these certificates because of public-key pinning, although misissued certificates for other sites likely exist.