2. 在javaeye.com网站醒目位置添加声明,表明该网站与甲骨文美国有限公司没有任何关系,如: “[Eye on Java]—有关 JAVA 的非官方社区网站 An Unofficial Community on JAVA”,或者 “[Eye on Java]—独立的 JAVA 社区网站 An Independent Community on JAVA”;
An RA suffered an attack that resulted in a breach of one user account of that specific RA. This RA account was then used fraudulently to issue 9 certificates (across 7 different domains).
All of these certificates were revoked immediately on discovery. Monitoring of OCSP responder traffic has not detected any attempted use of these certificates after their revocation.
Fraudulently issued certificates
9 certificates were issued as follows:
Domain: mail.google.com [NOT seen live on the internet] Serial: 047ECBE9FCA55F7BD09EAE36E10CAE1E
Domain: www.google.com [NOT seen live on the internet] Serial: 00F5C86AF36162F13A64F54F6DC9587C06
Domain: login.yahoo.com [Seen live on the internet] Serial: 00D7558FDAF5F1105BB213282B707729A3
Domain: login.yahoo.com [NOT seen live on the internet] Serial: 392A434F0E07DF1F8AA305DE34E0C229
Domain: login.yahoo.com [NOT seen live on the internet] Serial: 3E75CED46B693021218830AE86A82A71
Domain: login.skype.com [NOT seen live on the internet] Serial: 00E9028B9578E415DC1A710A2B88154447
Domain: addons.mozilla.org [NOT seen live on the internet] Serial: 009239D5348F40D1695A745470E1F23F43
Domain: login.live.com [NOT seen live on the internet] Serial: 00B0B7133ED096F9B56FAE91C874BD3AC0
Domain: global trustee [NOT seen live on the internet] Serial: 00D8F35F4EB7872B2DAB0692E315382FB0
What didn’t Happen
Our CA infrastructure was not compromised. Our keys in our HSMs were not compromised. No other RA was compromised. No other RA user accounts were compromised.
What Happened
One user account in one RA was compromised. The attacker created himself a new userID (with a new username and password) on the compromised user account.Continue reading »
Detecting Certificate Authority compromises and web browser collusion
Posted March 22nd, 2011 by ioerror
Thanks to Ian Gallagher, Seth Schoen, Jesse Burns, Chris Palmer, and other anonymous birds for their invaluable feedback on this writeup.
The Tor Project has long understood that the certification authority (CA) model of trust on the internet is susceptible to various methods of compromise. Without strong anonymity, the ability to perform targeted attacks with the blessing of a CA key is serious. In the past, I’ve worked on attacks relating to SSL/TLS trust models and for quite some time, I’ve hunted for evidence of non-academic CA compromise in the wild.
I’ve also looked for special kinds of cooperation between CAs and browsers. Proof of collusion will give us facts. It will also give us a real understanding of the faith placed in the strength of the underlying systems.
Does certificate revocation really work? No, it does not. How much faith does a vendor actually put into revocation, when verifiable evidence of malice is detected or known? Not much, and that’s the subject of this writing.
Last week, a smoking gun came into sight: A Certification Authority appeared to be compromised in some capacity, and the attacker issued themselves valid HTTPS certificates for high-value web sites. With these certificates, the attacker could impersonate the identities of the victim web sites or other related systems, probably undetectably for the majority of users on the internet.
I watch the Chromium and Mozilla Firefox projects carefully, because they are so important to the internet infrastructure. On the evening of 16 March, I noticed a very interesting code change to Chromium: revision 78478, Thu Mar 17 00:48:21 2011 UTC.
In this revision, the developers added X509Certificate::IsBlacklisted, which returns true if a HTTPS certificate has one of these particular serial numbers:
A comment marks the first as “Not a real certificate. For testing only.” but we don’t know if this means the other certificates are or are not also for testing.Continue reading »
HOWTO : Home made NAS server with Ubuntu 8.04.1 [HOWTO] 用Ubuntu 8.04.1搭建NAS服务器
There are many NAS for home users in the market, such as Synology, Qnap, LinkStation and etc. They are not in good performance and not cheap in price. However, they are good in less power consumption. It is because I owned not only one brand of such products at home now. 现在市场上有很多家用NAS产品,例如:Synology, Qnap, LinkStation等。它们性能并不好,而且价格不便宜。不过,在低能耗方面做得较好,因此,我家里有不止1个品牌的这类产品。
Recently, I bought a VIA PC-1 PC2500E motherboard, which has VIA C7-D 1.5GHz CPU on board. It is cheap in price and use less power too. The maximum amount of RAM is 2 GB. 最近,我买了1块VIA PC-1 PC2500E主板,板上带有VIA C7-D 1.5GHz CPU。价格便宜,也节能。最大可装2G内存。
Testing it with Ubuntu 8.04.1 Desktop version for a while, I am very satisfied with the performance of the CPU, although it is not quite fast indeed. I decided to build a home made NAS server with remote BitTorrent function. 用Ubuntu 8.04.1 Desktop测试一段时间,虽然不是足够快,我还是对CPU的性能相当满意。我决定在家组装NAS服务器,并带有远程BT功能。
Hardware Motherboard – VIA PC-1 PC2500E with VIA C7-D 1.5GHz CPU RAM – 2 X 1GB DDR2 667MHz (maximum) Hard drive – 300GB Seagate SATA (The motherboard treats it as ATA drive) Router – Planet WRT-401E (wired) (optional)
Software Operating system – Ubuntu 8.04.1 Server Edition File server – Samba FTP server – vsFTPd Remote access – OpenSSH Web Server – Apache, PHP and MySQL Remote BitTorrent – TorrentFlux (front-end) and BitTornado (back-end) Security software – Fail2BanContinue reading »
