You may or may not have read in the news about this, but in case you haven’t, here it is. First, a couple of definitions.
Digital certificate: A file generated to verify the authenticity of a website, and to enable the ability to connect to it through a secure, encrypted connection. These certificates are issued by a CA (Certification Authority).
Recently, unidentified hackers were said to have stolen digital certificates from a Dutch company (a CA) called DigiNotar. Several sources reported this, but Vasco, a Chicago based company that recently acquired DigiNotar, has acknowledged the fact today. Apparently the hacking took place last month.
At the time and pretty much up until now, one of the stolen certificates could be used to impersonate Google websites, as part of a phishing or “man-in-the-middle” attack.
Over the past 24 hours Google, Microsoft and Mozilla (maker of the Firefox web browser) have taken steps to block the exploitation of the rogue certificate.
All supported editions of Windows Vista, Windows 7, Windows Server 2008, and Windows Server 2008 R2 use the Microsoft Certificate Trust List to validate the trust of a certificate authority. There is no action required for users of these operating systems because Microsoft has removed the DigiNotar root certificate from the Microsoft Certificate Trust List. Windows XP / Windows Server 2003 users however, beware.
What to do for Windows XP / Windows Server 2003 users
If Google Chrome is your browser of choice, update it to its latest version, which is 13.0.782.218.
Be on the alert for an update of Firefox and apply it when available, if that is the web browser of your choice. 9/3/11: Firefox 6.0.1 has now been released, fixing the vulnerability described in this article.
Be on the alert for a Windows update to help curb the threat.