few more details http://gigaom.com/2013/12/09/google-catches-french-finance-ministry-pretending-to-be-google/
floating around on irc: https://www.imperialviolet.org/binary/anssi-chain.txt regards, skyper On Mon, Dec 9, 2013 at 8:42 PM, Ralf Skyper Kaiser <[email protected]> wrote: > Incredible. > > I added the incident to https://wiki.thc.org/ssl#OtherIncidents > > Also updated https://wiki.thc.org/ssl#BrowserManufactureFailedUs > > And while at it https://wiki.thc.org/ssl#EtisalatBreach (which is a prime > example of a Bad Player who we are all forced to trust). > > The posting mentions "[..] we are carefully considering what additional > actions may be necessary." > > Are there any details available? > > Is anyone doing an investigation? > > Will there be more public information available? > > > Seth: great work. Thanks. > > regards, > > skyper > > > On Sat, Dec 7, 2013 at 10:05 PM, Seth Schoen <[email protected]> wrote: > >> >> http://googleonlinesecurity.blogspot.com/2013/12/further-improving-digital-certificate.html >> >> They caught it with pinning. I wonder if we have a sample; it sounds >> like it was an extremely small-scale attack (a single organization got >> an intermediate chaining to a publicly-trusted root in order to spy on >> employees with its firewall?). If that was the entire scope of it, >> it's relatively unlikely that anyone in that organization is sending >> observations to us, maybe depending on how large the organization is >> and whether they prevent desktop users from installing third-party >> software. >> >> -- >> Seth Schoen <[email protected]> >> Senior Staff Technologist https://www.eff.org/ >> Electronic Frontier Foundation https://www.eff.org/join >> 815 Eddy Street, San Francisco, CA 94109 +1 415 436 9333 x107 >> > >
