Important updates for Windows operating systems and for browsers on all computers this week of March 2011.
First, you need to make sure your browser has been updated no matter what type of computer you use!
If your computer runs Windows, Microsoft has released an out of band emergency update. It is possible that other operating systems may have updates also. No matter what, you should also make sure your browser is updated. Mozilla after releasing Firefox 4 also released updates for the older versions of Firefox. Google has updated Chrome automatically also.
Again, make sure your browser is updated and if you have a Windows computer, make sure it has updated! To make sure Windows is updated run Windows Update from the Start Menu. You only need to make sure there are no critical updates. This update was released late Wednesday.
Why all this fuss about updating? It may be an international incident. It may have to do with an attempt by a government to spy on people. Keep reading and I’ll try to explain what happened.[mc src=”http://www.youtube.com/watch?v=2coTJHY8O-8″ type=”youtube”]How To Update Windows XP Manually[/mc]
Around March 15th some digital security certificates were wrongly released to the wrong party.
Digital security certificates are how your browser confirms you are connected to the right website and how it encrypts information between your browser the the website server to keep important information private. When you log into a bank you make a secure connection to that site (you can tell when address in your browser goes from http to https at the beginning of the address). You do this with email and many other sites you log into. These certificates are normally only given out by a few sources on the internet to make sure they stay secure. Basically, we need a trusted source to tell your browser who else it can trust.
The certificate is supposed to be proof to your browser you are connected to a real true trusted source. Once a certificate is given out for a website or domain, your browser can check the certificate to see if it matches before encrypting information. Once you see the https, your information should be safe to send as it is encrypted and being sent to a site listed on a certificate. The certificate is good for a certain amount of time (sometimes years). Once your browser has the certificate for a site, it keeps it (for Windows computers, Windows also keeps these certificates on hand to check) to check whenever you connect to the site again until the certificate expires.
In this case, the security certificates for several extremely popular websites were given to someone who does not own or control those sites.
Some of those site include:
- login.yahoo.com (3 certificates)
- addons.mozilla.org (already known from an earlier announcement by Mozilla)
- “Global Trustee”
You’ll note that all three of the most popular internet email providers, Microsoft, Google, and Yahoo, are in the list. What this means is someone who has these bad certificates can pretend to be one of these sites and your browser will assume it is connected to the legitimate site. They could also interrupt your connection between your computer and the site and be able to decode the encrypted information. Let’s say like when China just recently interrupted email to Google. Or maybe when a routing “mistake” temporarily sent the entire internet through a certain country. Whoever diverted the internet traffic, would be able to read all the encrypted information to these sites or pretend to be them.
Let’s put it another way:
Let’s say you have an extremely important message you need to send across town. It is so important, you need to have the police take it there for you. You call the police station and they send an officer to your house to pick up the message. When an officer shows up at your door you ask for identification. You then call the police station to make sure you have the real police officer. They even fax identification of the officer to you so you know that a real officer is the one picking up the message. Unfortunately, neither you or the police station know that he is not really an officer and really is just a criminal out of jail. The folks at the police station are looking at documents that say he is an officer and you are looking at a real official ID.
The same thing is happening here with your browser and computer. Everything that can be checked shows that you are connected to the legit site and the bad site is even encrypting information like the real site. Unfortunately, it is not. Also, your browser is going to keep using that original certificate until the expiration date. There has not been a good system to check for revoked certificates.
As soon as it was discovered that the certificates were issued, they were revoked. In fact, it is not sure that all the certificates were received by the attacker although at least one for sure was. An account from a major security service that recently attacked was used to obtain these certificates.
The service that was attacked seems to believe that the Iranian government was involved in the attack.
They list several reasons for this:
- The attacker was well prepared
- The attacker knew exactly what he wanted to get
- The attack targeted communications and not financial infrastructure targets
- The attack worked with clinical accuracy
- The majority of the IP addresses used were Iranian in origin
- An Iranian website was used to test one of the certificates (they received a revocation notice)
- To use the certificates in an attack there must be control of DNS infrastructure (the ability to route internet traffic)
- The Iranian government has done similar attacks
You can check the original incident report at http://www.comodo.com/Comodo-Fraud-Incident-2011-03-23.html
In order to fully revoke these certificates, all this upgrading is needed to clear them out. So…upgrade your browser and upgrade your operating system (Windows at least for sure-other operating systems may not need it) right away. There have not been any know uses of the bad certificates in an attack.
That we know of.