- Welcome to .
作者 XUKGBM
- 九月 03, 2011, 02:28:04 下午本周日(8/28)一名伊朗人在Gmail論壇上透露,當他要登入Gmail帳號時看到Chrome瀏覽器跳出一個憑證警告,表示他所要登入的網站使用的是無效的憑證(Certificate Authority, CA),且Chrome瀏覽器並不支援,接著Mozilla即發出聲明表示將更新Firefox等產品以封鎖任何採用DigiNotar所頒發憑證之網站。
此一假冒的憑證是由荷蘭的認證機構DigiNotar在今年7月10日所頒發,該憑證適用於所有以google.com結尾的網域,不過,該憑證並不是 Google所申請,這代表取得該憑證的組織得以偽造任何Google網頁並要求使用者輸入個人資料。該名伊朗人還推論可能是當地政府或ISP業者幹的好事,目的是為了竊取當地居民的通訊內容。而DigiNotar則在事件曝光後於周一(8/29)撤銷了該憑證。
Sophos資深安全顧問Chester Wisniewski指出,DigiNotar並未說明是如何頒佈了此一憑證,究竟是DigiNotar被駭,或者是被假冒Google的公司所申請,不論是哪一種,都證明了大家原本決定信賴的CA架構是不可靠的。Wisniewski還推薦Moxie Marlinspike所提出的Convergence方案,該方案建議取消CA的使用,並改用公證與代理系統。
Mozilla很快就在周一(8/29)釋出聲明,表示已知道市面上流竄著一個假冒Google的SSL憑證,因此很快就會更新Firefox、Thunderbird與SeaMonkey,以取消對DigiNotar憑證的信任。
Chrome之所以能立即查驗出偽造的憑證有賴於今年6月對Chromium 13的安全更新,該更新內建了固定憑證與HSTS(HTTP Strict Transport Security)機制,只有極少數的憑證有權擔保Gmail,可避免發生CA憑證遭到濫用的情況。
Google的先見之明來自於CA認證機構Comodo的合作夥伴曾在今年4月遭到入侵,駭客並藉此頒佈9個包括Google、Gmail及微軟網站在內的9個假冒的憑證。當Google本周再得知假冒的憑證時,亦決定於Chrome中暫時封鎖所有採用DigiNotar憑證的網站。
-----------------------------------------
日前傳出網路上出現假冒的Google憑證,該憑證是由荷蘭的認證機構DigiNotar所頒發。DigiNotar的母公司VASCO本周坦承,DigiNotar的憑證管理系統於7月遭到入侵,因而頒發了包括Google在內的一些假冒憑證。荷蘭資安業者則透露駭客至少取得了超過200個假冒的數位憑證。
VASCO說明,DigiNotar是在今年7月19日發現憑證管理架構被入侵。不過,假Google憑證的頒發日期則是7月10日,顯示駭客有充裕的時間取得其他假冒憑證。
根據外電報導,荷蘭資安業者Madison Gurka引述消息來源表示,駭客可能取得了超過200個偽造的憑證,除了Google外,還包括Mozilla與Yahoo。
VASCO並未公布被盜發的憑證數量,但表示在發現系統被入侵後,旋即進行稽核並撤消了這些憑證,唯獨漏掉一個假冒的Google憑證。Sophos資深安全顧問Chester Wisniewski則批評,這令人懷疑DigiNotar的稽核品質與深度,同時也有其他資安業者發現DigiNotar網站上有數個網頁被駭。
數位憑證主要是由中立的機構所頒發,以確定使用者所造訪的網站與該站所宣稱的品牌吻合。但近來相繼發生憑證頒發機構被駭的事件,動搖了外界對憑證管理機構的信任。
在假Google憑證於網路流竄後,Google與Mozilla已相繼更新旗下的Chrome及Firefox瀏覽器,封鎖使用DigiNotar憑證的網站,微軟也發出安全通知,表示微軟是在作業系統中嵌入可信賴的憑證名單來阻擋假冒的憑證,並已將DigiNotar所頒發的憑證移出該名單。
-----------------------
最近,一个正在使用谷歌服务的伊朗用户,被Chrome浏览器(该浏览器由谷歌公司开发)警告其不要访问某些谷歌站点。该用户以用户名"Alibo"在谷歌的支持论坛上发表了他的担心。
In a blog post Google said the fake certificate, supposedly issued by a Dutch certification authority called DigiNotar, was part of a "man in the middle" attack. Often abbreviated MITM, such attacks are when a hacker tries to get in between a user and an encrypted or secure service. For example, a hacker could have his system issue a digital certificate -- a "signature" that authenticates a site -- and fool a user into thinking that their communications were securely encrypted when in fact they aren't. Certificates are issued by companies that are trusted, and a "web of trust" is set up for multiple sites. But those companies can be attacked by hackers.
谷歌在一篇博客文章中写到:这种伪造的证书可能是由一家荷兰的名为DigiNotar的证书机构颁发的,其实属于一种"中间人"攻击。这类攻击通常被简写为 MITM(Man In The Middle),是黑客试图切入用户同加密服务或安全服务之间的一种攻击。例如,一名黑客声明其系统获取数字证书(是一种鉴定站点的签名),并欺骗用户,让其以为自己在网上的交流是被加密的,但事实并非如此。这种证书都是由那些被信任的公司颁发的,而且为多个站点建立信任网,可是这类办法信任证书的公司却可以被黑客攻击。
In this case, a digital certificate that was supposed to have been issued by DigiNotar was a fake, the result of a hacking attack on Digitar's systems back in July, which allowed the hackers to generate their own certificates. DigiNotar issued a statement that the fraudulently issued certificates have been revoked. But one was still out there and later, DigiNotar said several dozen certificates had been issued by hackers.
在这个案例中,这个据推测是DigiNotar公司颁发的数字证书是伪造的,源于今年7月份黑客对DigiNotar系统的攻击,使其能够以 DigiNotar之名生成自己的证书。事后,DigiNotar公司发表声明,称这些伪造的证书已经被注销。但的确还有这样的声明存在,后来,DigiNotar称有几十个证书都是被黑客颁发的。
That was what Alibo found when his browser, Google's Chrome, warned him. The hack seemed to affect users mostly in Iran, and led Alibo to ask if it might be an Iranian government effort to gather information on Internet users there.
这就是为何Alibo的谷歌Chrome浏览器警示他不用打开某些站点。经统计分析,似乎黑客攻击的绝大多数用户都在伊朗,这让Alibo有此疑问:这会不是是伊朗政府行为,以此来收集伊朗互联网用户的信息。
A similar incident occurred in March, when Comodo Group, an American Internet security company, said that hackers had issued several digital certificates for sites such as google.com and mail.google.com. The company originally thought the attack that compromised the user account of a registration authority was from the Iranian govenrment, but later a lone hacker (who happened to be Iranian) claimed credit. In the DigiNotar case there doesn't seem to be any hard evidence who it was.
今年3月份也发生了一起类似的事件。美国的一家互联网安全公司——科莫多公司,声称黑客已经为例如google.com和mail.google.com的站点颁发了数字证书。科莫多公司最初认为这种侵害注册用户账户的黑客攻击行为是来自于伊朗政府,但时隔不久,一个恰好是伊朗的独行黑客声称为此攻击负责。在DigiNotar事件中尚无明显的证据指出黑客来源。
Roel Schouwenberg, senior researcher at Kaspersky Lab, says the rogue certificates have all the marks of an intelligence operation, but it isn't clear whether that is the case here. "They're after Google credentials, most likely for gmail specifically. This way emails can be read/written. Also, the nature of the attack requires a certain control over the network/internet. This would entail cooperation at an ISP. As such, a government attack is the most plausible explanation," he wrote in an email.
卡巴斯基实验室资深研究员,Roel Schouwenberg认为,这些欺诈证书都是高智商行为的产物,但DigiNotar的案例是否也是如此还不明确。Roel在一封电子邮件中写到:"他们寻求的是谷歌的证书,更确切地目的在于Gmail。通过这种攻击,被攻击用户的电子邮件可以被黑客进行读写。除此之外,这类攻击的本质还必须拥有对网络 /互联网的控制。这就要求有网络服务提供者的协作才能成立。就其本身而言,一个政府的攻击似乎是最令人信服的解释。"
Microsoft has issued a security advisory and Mozilla has promised an update, and also released instructions on how to delete the DigiNotar certificate.
针对此类可能的攻击,微软已经发布了一个安全建议,Mozilla浏览器也承诺进行一次升级,并且发布如何删除DigiNotar证书的操作说明。