[Owasp-france] Letter to EU Commission on French CA abuse

Ryan Dewhurst ryandewhurst at gmail.com
Tue Dec 10 13:00:44 UTC 2013


Bonjour,

As this is related to France and web security I thought some of you may
find it interesting.

As many of you may have already read, the French Finance Ministry
(Ministère de l'Economie et des Finances?) was found to be Man In The
Middle'ing its employees with a rouge SSL certificate.

The rouge certificate was produced by the French ANSSI Certificate
Authority (CA). The certificate in question has since been revoked by
browsers (Chrome at least, probably most others). ANSSI claim the
certificate was produced in 'human error' -
http://www.ssi.gouv.fr/en/the-anssi/events/revocation-of-an-igc-a-branch-808.html

According to Google, the rouge SSL certificate was used 'with the knowledge
of the users on that network'. -
http://googleonlinesecurity.blogspot.co.uk/2013/12/further-improving-digital-certificate.html

The Hackers Choice (THC) have written an open letter to the EU Commission.
This letter contains further information about the incident.

https://wiki.thc.org/ssl#EUCommission

Thanks,
Ryan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-france/attachments/20131210/de471243/attachment.html>


More information about the Owasp-france mailing list