Hi All, >From Dr. Geer on the Cryptography mailing list (http://lists.randombit.net/mailman/listinfo/cryptography).
Its another reason to pin your certificates. Stop accepting the "broken" as the "norm". Not everyone is a bank who can be irresponsible and pass losses caused by mistakes onto share holders in pursuit of profits (re: risk acceptance). In some cases, people's lives depend upon it. +1 to Google and AOSP for recognizing the problem, and taking action early. I owe the security team a beer. Jeff ---------- Forwarded message ---------- From: <[email protected]> Date: Fri, Jan 4, 2013 at 6:40 PM Subject: [cryptography] another cert failure To: [email protected] you may have already seen this, but http://www.bbc.co.uk/news/technology-20908546 Cyber thieves pose as Google+ social network The lapse let cyber thieves trick people into thinking they were on Google+ Continue reading the main story Related Stories Cyber-warriors join treasure hunt Insecure websites set to be named Warning over web security attack Web browser makers have rushed to fix a security lapse that cyber thieves abused to impersonate Google+ The loophole exploited ID credentials that browsers use to ensure a website is who it claims to be. By using the fake credentials, criminals created a website that purported to be part of the Google+ social media network. The fake ID credentials have been traced back to Turkish security firm TurkTrust which mistakenly issued them. ... -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/android-security-discuss?hl=en.
