About the Author

Chris Shiflett

Hi, I’m Chris: entrepreneur, community leader, husband, and father. I live and work in Boulder, CO.


Fake Google SSL Certificate

When I heard the news that a root CA named DigiNotar had issued a fraudulent Google SSL certificate, the first thing I wanted to do was make sure my computer was safe. This is a quick post to help you do the same.

Since I use a Mac, my first stop was Keychain Access. I quickly found the DigiNotar root certificate.

Next, I removed all trust.

This takes care of Safari and Chrome. I went through a similar process for Firefox, and have since discovered a detailed post from Mozilla showing you how to do exactly what I did.

For more information about this incident, here's a quick reading list:

Google
An update on attempted man-in-the-middle attacks
Mozilla
Fraudulent *.google.com Certificate
Microsoft
Microsoft Releases Security Advisory 2607712
DigiNotar
DigiNotar reports security incident

There are also instructions for verifying that DigiNotar really did issue a fake Google SSL certificate.

About this post

Fake Google SSL Certificate was posted on Tue, 30 Aug 2011. If you liked it, follow me on Twitter or share:

7 comments

1.Jason Discount said:

I would also recommend ensuring Keychain Access is set to check revocation lists. In Prefs -> Certs, set OCSP and CRL to Best Attempt.

Wed, 31 Aug 2011 at 04:12:17 GMT Link


2.Chris Shiflett said:

A good reminder of something Sean frequently talks about with regard to Google Analytics and its incredible potential as a target:

http://daemonology.net/blog/2011-09...ertificate.html

Thu, 01 Sep 2011 at 20:40:09 GMT Link


3.No One said:

This type of issue occured a few months ago with Komodo. 1 of their resellers was compromised by an Iranian hacker who made false certs for Google, MS and a few other major sites.

Thu, 01 Sep 2011 at 21:16:01 GMT Link


4.Brenda Wallace said:

Don't forget your cellphone too.

Sun, 04 Sep 2011 at 03:55:33 GMT Link


5.Chris Shiflett said:

Mozilla has an update that further explains their decision to remove their trust in DigiNotar:

https://blog.mozilla.com/security/2...oval-follow-up/

Sun, 04 Sep 2011 at 13:25:36 GMT Link


6.Chris Shiflett said:

And more info:

https://blog.torproject.org/blog/di...mage-disclosure

Sun, 04 Sep 2011 at 19:26:42 GMT Link


Hello! What’s your name?

Want to comment? Please connect with Twitter to join the discussion.