Microsoft warns about two apps that installed root certificates then leaked the private keys

In researchers’ own words “every system on which HeadSetup […] was installed at any time in the past […] remains vulnerable” until users manually review the Trusted Root Certificate Store and remove the two certificates, or until the certificates expire –which could be January 13, 2027, or July 27, 2037, respectively.

Source: Microsoft warns about two apps that installed root certificates then leaked the private keys | ZDNet

Two More Self-Signed Certs, Private Keys Found on Dell Machines

Dell Foundation Services installs the cert and its purpose is to quicken online support engagements with Dell staff. The certificate, Dell said, allows online support to identify the PC model, drivers, OS, hard drive and more.”

Source: Two More Self-Signed Certs, Private Keys Found on Dell Machines | Threatpost | The first stop for security news

So far, eDellroot has been found on Dell XPS 15 laptops, M4800 workstations, and Inspiron desktops and laptops.

“It means attackers are de facto certificate authorities, free to generate man-in-the-middle certs, or just direct phishing sites that won’t get flagged as illegitimate,”

SSL TLS HTTPS Web Server Certificate Fingerprints  

Public and Private keys form cryptographically matched pairs. It is not feasible to derive one from the other, yet what one encrypts only the matching other can decrypt. Website SSL security certificates provide the site’s Public cryptographic key which is the public side of the server’s secret Private cryptographic key which is never publicly disclosed. Only the certificate’s public key can be used to encrypt data which the remote server can decrypt only using its matching private key. Since the SSL Proxy Appliance does not have the private key of the remote server—because only the remote server has it—the fake & fraudulent certificate the SSL Proxy provides to the user’s web browser is forced to use a different public key for which it does have a matching private key. And that means that no matter how hard any SSL-intercepting Proxy Appliance may try to spoof and fake any other server’s certificate, the certificate’s public key MUST BE DIFFERENT

via GRC | SSL TLS HTTPS Web Server Certificate Fingerprints  

The remote server’s REAL certificate and the SSL Appliance’s FAKED certificate MUST HAVE AND WILL HAVE radically different fingerprints.  They will not be remotely similar..

Microsoft Warns Customers Away From RC4, SHA-1

RC4 is among the older stream cipher suites in use today, and there have been a number of practical attacks against it, including plaintext-recovery attacks. The improvements in computing power have made many of these attacks more feasible for attackers, and so Microsoft is telling developers to drop RC4 from their applications.

via Microsoft Warns Customers Away From RC4, SHA-1 | Threatpost | The First Stop For Security News.

The software company also is recommending that certificate authorities and others stop using the SHA-1 algorithm.

Security Firm Bit9 Hacked, Used to Spread Malware

An hour after being contacted by KrebsOnSecurity, Bit9 published a blog post acknowledging a break-in. The company said attackers managed to compromise some of Bit9′s systems that were not protected by the company’s own software. Once inside, the firm said, attackers were able to steal Bit9′s secret code-signing certificates.

via Security Firm Bit9 Hacked, Used to Spread Malware — Krebs on Security.

Turkish agency blamed by U.S. companies for intercepted Web pages

“The logical theory is that the transportation agency was using it to spy on its own employees,” said Chris Soghoian, a former Federal Trade Commission technology expert now working for the American Civil Liberties Union.

Validation authority alone isn’t enough to intercept traffic, the most likely goal of the project. The authenticator would also have to come in contact with the Web user.

via Turkish agency blamed by U.S. companies for intercepted Web pages | Reuters.

The ICSI Certificate Notary

Much of the Internet’s end-to-end security relies on the SSL protocol, along with its underlying X.509 certificate infrastructure. However, the system remains quite brittle due to its liberal delegation of signing authority: a single compromised certification authority undermines trust globally. The ICSI Notary helps clients to identify malicious certificates by providing a third-party perspective on what they should expect to receive from a server. While similar in spirit to existing efforts, such as Convergence and the EFF’s SSL observatory, our notary collects certificates passively from live upstream traffic at multiple independent Internet sites, aggregating them into a central database in near-realtime.

via The ICSI Certificate Notary.

Which SSL certificate should I buy?

SSL certificates that most web browsers can accept without grief are sold by a relatively small number of companies. That’s because the major web browsers are shipped with a certain set of “root certificate authorities” that they trust… and if your certificate isn’t signed by one of those authorities, or by a certificate “chained” from one of them, then you’re out of luck— the web browser will display a scary warning to the user or, in some cases, refuse to work with your site at all.

The cost of SSL certificates varies quite a bit, from as little as $20 to as much as $1,000 or more. Why such a big difference? There are three main reasons:

via WWW FAQs: Which SSL certificate should I buy?.

2. Some certificates are directly signed by a trusted root certificate, while others are “chained” from another “intermediate” certificate. This isn’t really a problem, as long as the company selling you the chained certificate really does own the root certificate. But some webmasters get confused by intermediate certificates, fail to install them correctly, and mistakenly think they have purchased a bad certificate. So chained certificates are usually less expensive to allow for this inconvenience, even though there is no real technical disadvantage.

Tatu Ylonen, father of SSH, says security is ‘getting worse’

I think it’s getting worse. Consumer privacy is disappearing totally. And SSL [Secure Sockets Layer] is being questioned and the problem isn’t the protocol itself but the key infrastructure. There have been several incidents where someone has stolen from the certificate authorities.


Microsoft Revokes Trust in 28 of Its Own Certificates

Microsoft has not said exactly what the now-untrusted certificates were used for, but company officials said there were a total of 28 certificates affected by the move. Many of the affected certificates are listed simply as “Microsoft Online Svcs”. However, the company said that it was confident that none of them had been compromised or used maliciously. The move to revoke trust in these certificates is a direct result of the investigation into the Flame malware and how the attackers were able to forge a Microsoft certificate and then use it to impersonate a Windows Update server.

via Microsoft Revokes Trust in 28 of Its Own Certificates | threatpost.