DigiNotar certificates are pulled, but not on smartphones
Neither Google nor Apple has announced plans to revoke certificates issued by DigiNotar in their smartphone OSes
IDG News Service - Browser makers have generally been quick to react to the computer compromise at digital certificate issuer DigiNotar, but that hasn't been the case for all mobile phone makers.
On Tuesday neither Google nor Apple would comment on whether they plan to revoke certificates issued by DigiNotar for Android or the iPhone, even as desktop software makers pulled the plug on the Dutch company's certificates.
Apple hasn't said anything about the DigiNotar situation since it was disclosed last week, but Google was quick to revoke the company's certificates for its Chrome browser last week. Its silence Tuesday spoke to the complexity of its situation as both a victim of the attacks and a provider of the software that can thwart them. The problem is that Google's Android phones are updated via mobile phone carriers, companies that are typically much slower to issue patches than PC software vendors such as Microsoft.
Google needs to work carefully with carriers before they can push out patches, said Marsh Ray, a senior software engineer with online authentication vendor PhoneFactor. "What if the carrier's only payment method is a Web page using a certificate signed by DigiNotar?" he said in an instant message interview. "It would be disaster if Google pushed such an update blindly."
Developers on the unofficial community Android distribution, Cyanogenmod, expressed similar reservations in their discussion forum. Worried about the possible fallout, they were initially reluctant to push out an update that revoked DigiNotar's certificates, but they changed their mind as the seriousness of the situation became clear.
The lack of patches raises questions for mobile phone users in Iran, who may not be able to tell who they should trust on the Internet. Iranian users were the target of the DigiNotar hack, and as many as 300,000 of them have been directed to fake websites that used the bogus certificates, forensic auditors investigating the incident reported Monday.
The digital break-in seems to have been a data-gathering expedition, designed to steal Gmail messages and other information.
In fact, the hackers who broke into DigiNotar issued hundreds of digital certificates, including one for Google.com, which allowed them to take a first step in tricking Internet users into believing that one of their servers actually belonged to Google. The second step is to take control of the network's Domain Name System (DNS) and direct users to the fake site whenever they type in the Google.com address.
Microsoft's Windows Phone software does not include DigiNotar in its list of trusted certificate authorities and that appears to be the case on at least some BlackBerry phones as well. As was the case with their smart-phone competitors, neither Microsoft nor Research In Motion could answer questions on this topic Tuesday.
- Best iPhone, iPad Business Apps for 2014
- 14 Tech Conventions You Should Attend in 2014
- 10 Desktop Apps to Power Your Windows PC
- How to Add New Job Skills Without Going Back to School
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- OpenStack Hype vs. Reality: CIO Quick Pulse Open-source architecture can enable IT departments to build infrastructure-as-a-service (IaaS) clouds running on standard hardware.
- The Critical Role of Support in Your Enterprise Mobility Management Strategy Most business leaders underestimate the importance of tech support when they choose an EMM solution. Here's what to put on your checklist.
- Separating Work and Personal at the Platform Level: How BlackBerry Balance Works BlackBerry® Balance™ separates work from personal on the same mobile device, right at a platform level. Find out how it can work for...
- Protection for Every Enterprise: How BlackBerry Security Works Get an IT-level review of BlackBerry® Security, addressing data leakage protection, certified encryption, containerization and much more.
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Unmasking the Differences between Consumer and Enterprise File Sync & Share The consumerization of IT combined with the rapid pace of the modern mobile workplace is forcing enterprise IT teams to evaluate file sync...
- Live Webcast Workforce Mobilization for Improved Productivity A mobility research director from Aberdeen discusses reasons for extending legacy applications to mobile devices, and an integration strategist from Attachmate shows how...
- Getting Ready for BlackBerry Enterprise Service 10.2 Find out how BlackBerry® Enterprise Service 10 helps organizations address the full spectrum of EMM challenges, while balancing the needs of both the...
- Containerization Options: How to Choose the Best DLP Solution for Your Organization This webcast outlines a framework for making the right choice when it comes to containerization approaches, along with the pros and cons of... All Mobile/Wireless White Papers | Webcasts
As emerging technologies evolve they often find an initial niche in highly specialized scenarios, or in specific industry verticals, before expanding to wider areas of applicability. Within these initial niches, the early adopters can be anything from digital enthusiasts to fashionistas, or they can be folks simply using the technology because it serves a specific need extremely well. (free registration required) more