A fraudulent SSL certificate for “*.google.com” issued by Dutch certificate authority (CA) DigiNotar to the Iranian government or its agents, has triggered a wave of updates from software makers to stop applications trusting the CA. The certificate was issued on 10 July to unknown persons in Iran. It is being used in a man-in-the-middle attack against Gmail users. It is a kind of a major security breach in the public key infrastructure (PKI) which relies on root Certificate Authorities to issue certificates that identify domain names.
Thanks to Google, which introduced a feature called certificate pinning in Chrome 13, which is why this new attack was detected. Certificate pinning associates a domain with a very limited number of Certificate Authorities. Google has updated about the issue on their blog. Vendors like Microsoft, Mozzila plan to issue updates for their products that completely remove DigiNotar from the list of trusted CAs. Since it isn’t clear how the rogue certificate was issued in the first place, so until that happens no certificate from DigiNotar can be trusted.