In light of all the discussions about maintaining a secure posture on trusted certificates we often times forget about the little guys. In this case I’m talking about our mobile devices. We tend to forget that these devices are just as vulnerable as our desktop/laptops. Unfortunately it’s not always easy to manage the certificates on these devices. But if you own an Android device and would like to take a little more control over what your device is trusting read on to find out how you can do it.
edited September 2 with an update on Apple/Safari. Another case of a certification authority (CA) issuing a certificate they never should have has surfaced. You may remember when we discussed the Comodo incident earlier this year. Now, a certificate issued by DigiNotar has surfaced in the wild, being valid for *.google.com – meaning it could be used to secure any transaction with any Google web property, including GMail. According to this pastebin post, this certificate “is being used in the wild against real people in Iran *right* now.” DigiNotar has issued a statement. Here is some information about why this is bad, and what steps you should take to remove this issuer from your trust lists.
As some of you know, a lot of my background is in the world of Public Key Infrastructure. I’ve been involved in every phase of PKI, including developing certification authority and ASN.1/DER encoding/decoding software, developing automated registration authority components, creating certificate policies and certification practices statements, as well as designing and rolling out production PKIs for large organizations. Increasingly, organizations are turning to the use of Active Directory Certificate Services, otherwise known as Microsoft Certificate Services. The reasons are many: it’s included with the purchase of your Windows Server product, it’s easy to configure and use, and did I mention it doesn’t cost any (additional) money? The Microsoft product is a fairly good one and provides for a lot of[…]