Forged Google Certificate
There’s been a forged Google certificate out in the wild for the past month and a half. Whoever has it—evidence points to the Iranian government—can, if they’re in the right place, launch man-in-the-middle attacks against Gmail users and read their mail. This isn’t Google’s mistake; the certificate was issued by a Dutch CA that has nothing to do with Google.
This attack illustrates one of the many security problems with SSL: there are too many single points of trust.
EDITED TO ADD (9/1): It seems that 200 forged certificates were generated, not just for Google.
Seth • September 1, 2011 6:10 AM
Wow. Just Wow. For now.