SSL Hack of Google - Please read, this may affect you.

Tech Speak

I've just learned via my Twitter feed that a certificate authority in the Netherlands issued a valid SSL wildcard certificate for Google to a third party in July, leading to concerns that attackers may have been using the certificate to route sensitive traffic through their own servers, capturing it and compromising user data in the process. Microsoft Technet has issued an advisory about the certificate, and a Pastebin post of the SSL certificate alleges it was used by the Iranian government for man-in-the-middle attacks. Google has written about the attack on its blog, and PC World has provided an excellent overview of the problem.

Plain English

What this means is that a valid security certificate for Google, issued by DigiNotar, was released to a third party, making it possible for that third party to masquerade as Google and obtain sensitive user information such as usernames and passwords. Worse, the certificate was a wildcard, meaning it was valid for any Google domain. Google's above-referenced blog post asserts the attack was only focused on Iranian targets. However, the SSL certificate should be deleted or marked as untrusted on all computers while the investigation is ongoing.

What You Should Do

Delete the certificate. Here's how:

Linux Command Line: sudo rm -f /etc/ssl/certs/DigiNotar_Root_CA.pem (via @ioerror )

Firefox: Deleting the DigiNotar CA certificate

Safari: DigiNotar certificate security issue (via the Coriolis News blog and @ioerror)

Chrome: Deleting the DigiNotar Root CA in Google (This video begins badly, but stick with it. The image clears up.)

Microsoft indicates it has already removed DigiNotar as a trusted SSL certificate for all of its products.