French agency caught minting SSL certificates impersonating Google

Rekindling concerns about the system millions of websites use to encrypt and authenticate sensitive data, Google caught a French governmental agency spoofing digital certificates for several Google domains.

The secure sockets layer (SSL) credentials were digitally signed by a valid certificate authority, an imprimatur that caused most mainstream browsers to place an HTTPS in front of the addresses and display other logos certifying that the connection was the one authorized by Google. In fact, the certificates were unauthorized duplicates that were issued in violation of rules established by browser manufacturers and certificate authority services.

The certificates were issued by an intermediate certificate authority linked to the Agence nationale de la sécurité des systèmes d’information, the French cyberdefense agency better known as ANSSI. After Google brought the certificates to the attention of agency officials, the officials said the intermediate certificate was used in a commercial device on a private network to inspect encrypted traffic with the knowledge of end users, Google security engineer Adam Langley wrote in a blog post published over the weekend. Google updated its Chrome browser to reject all certificates signed by the intermediate authority and asked other browser makers to do the same. Firefox developer Mozilla and Microsoft, developer of Internet Explorer have followed suit. ANSSI later blamed the mistake on human error. It said it had no security consequences for the French administration or the general public, but the agency has revoked the certificate anyway.

Read 5 remaining paragraphs | Comments

Linux.Darlloz Worm Targets x86 Linux PCs & Embedded Devices

So this is not a particularly technical source article, but it looks fairly interesting and I haven’t heard of this Linux.Darlloz worm before, so it might be new to some of you too. Seems like it’s going after old php-cgi installs, which are very common on embedded systems (routers/pos systems/stbs etc). The vulnerability being used...

Read the full post at

Major Tech Companies Call for Greater Digital Due Process in Government Surveillance

AOL, Apple, Facebook, Google, LinkedIn, Microsoft, Twitter and Yahoo have issued an open letter to Washington calling on politicians to reform government surveillance worldwide.

The organizations have outlined five principles that they believe encapsulate and are consistent with “global norms of free expression and privacy” and “the goals of ensuring that government law enforcement and intelligence efforts are rule-bound, narrowly tailored, transparent, and subject to oversight”.

The principles are:

1. Limiting Governments’ Authority to Collect Users’ Information. No bulk downloads of information. Codification of limitations on the ability to compel service providers to disclose data. Limiting surveillance to specific, known users for lawful purposes.

2. Oversight and Accountability. Executive powers to be subject to strong checks and balances and subject to review by independent courts and an adversarial process. Rulings of law should be made public in a timely manner.

3. Transparency About Government Demands. Companies should be able to publish the number and nature of government demands and governments should do so as well.

4. Respecting the Free Flow of Information. Data flow across borders should not be inhibited and service providers should not be required to locate infrastructure within a country.

5. Avoiding Conflicts Among Governments. Mutual legal assistance treaties to permit obtaining data across borders should be robust, principled and transparent and governments should resolve conflicts between their laws.

The Reform Government Surveillance website is here. Microsoft’s General Counsel, Brad Smith, has a blog post here.





Google Releases Google Chrome 31.0.1650.63

Original release date: December 09, 2013

Google has released Google Chrome 31.0.1650.63 for Windows, Mac, Linux and Chrome Frame to address multiple vulnerabilities. These vulnerabilities could allow a remote attacker to hijack a web session, spoof the address bar or cause a denial of service condition.

US-CERT encourages users and administrators to review the Google Chrome Release blog entry and follow best practice security policies to determine which updates should be applied.

This product is provided subject to this Notification and this Privacy & Use policy.