<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Exchange Server">
<!-- converted from rtf -->
<style><!-- .EmailQuote { margin-left: 1pt; padding-left: 4pt; border-left: #800000 2px solid; } --></style>
</head>
<body>
<font face="Calibri, sans-serif" size="2">
<div>This is from the latest edition of the SANS NewsBites email. Please read the editor’s note.</div>
<div> </div>
<div><font face="Consolas, monospace" size="2">--Companies Revoke Trust in Unauthorized Google Digital Certificates (January 3, 2013) Google, Microsoft, and Mozilla have revoked (trust) for two digital certificates that were released by a Turkish certificate
authority (CA).</font></div>
<div><font face="Consolas, monospace" size="2">The certificates were issued by an intermediate certificate authority that links back to TURKTRUST, which has acknowledged that in August 2011, it inadvertently issued two intermediate CA certificates to organizations
that should have received regular SSL certificates. The certificates are being used in active phishing attacks.</font></div>
<div><font face="Consolas, monospace" size="2"><a href="http://www.computerworld.com/s/article/9235218/Google_finds_unauthorized_google.com_domain_certificate_scrambles_to_fix?taxonomyId=17"><font color="#0000FF"><u>http://www.computerworld.com/s/article/9235218/Google_finds_unauthorized_google.com_domain_certificate_scrambles_to_fix?taxonomyId=17</u></font></a></font></div>
<div><font face="Consolas, monospace" size="2"><a href="http://krebsonsecurity.com/2013/01/turkish-registrar-enabled-phishers-to-spoof-google/"><font color="#0000FF"><u>http://krebsonsecurity.com/2013/01/turkish-registrar-enabled-phishers-to-spoof-google/</u></font></a></font></div>
<div><font face="Consolas, monospace" size="2"><a href="http://www.darkreading.com/authentication/167901072/security/attacks-breaches/240145512/phony-google-digital-certificate-blocked-by-browser-vendors.html"><font color="#0000FF"><u>http://www.darkreading.com/authentication/167901072/security/attacks-breaches/240145512/phony-google-digital-certificate-blocked-by-browser-vendors.html</u></font></a></font></div>
<div><font face="Consolas, monospace" size="2">[Editor's Note (Pescatore): The CA/Browser Forum seemed to make little progress (and actually lost members due to intellectual property issues) in 2012 in improving the sorry state of SSL certificate issuance.
They met in December; I hope their 2013 New Year's Resolution was a much more aggressive approach this year.</font></div>
<div><font face="Consolas, monospace" size="2">(Shpantzer): A non-technical article about SSL trust and the Turkish CA, including the interesting idea that the browser companies are where the rubber meets the road:</font></div>
<div><font face="Consolas, monospace" size="2"><a href="http://erratasec.blogspot.com/2013/01/notes-on-turktrust-fiasco.html"><font color="#0000FF"><u>http://erratasec.blogspot.com/2013/01/notes-on-turktrust-fiasco.html</u></font></a> ]</font></div>
<div> </div>
<div>-Rick</div>
<div> </div>
</font>
</body>
</html>