Serious Security Issue on ALL Platforms!
There has been a serious security issue revealed in the past few weeks that affects every single computer in the world! I know that sounds alarmist and the setup to a bad joke, but it's true. To understand it's pervasiveness requires a technical explanation of the fundamental way we secure ourselves online.
Public-Key Encryption
Public-Key Encryption, or PKI for short, is the most common method used for encrypting traffic across the Internet. It is also the primary way we use to ensure the identity of people and computers across the internet. Your web pages that start with "https://" as well as your email connection using secure services for POP and IMAP use this technology. Most importantly, encrypting a certificate with these pairs ensures that the certificate that you receive truly is from your bank and not some nefarious hacker trying to steal your information!
PKI works by creating a pair of "keys" that are used to encrypt and decrypt data as it travels across the internet. Each pair of keys is randomly generated and must be used together. The way it works is just short of amazing. If I encrypt traffic with my "A" key, it can only be decrypted with my "B" key. Conversely, only key "A" can decrypt information encrypted with the "B" key. It's magic! The "A" key is called the "private key" and NEVER, never, never leaves the possession of the owner. The "B" key is handed out to the whole world and is called the "public key."
The way this works to prove that "mybank.com" is really "mybank.com" and not "russianmafia.net" pretending to be "mybank.com" is a little complicated, but should be foolproof based on some assumptions.
When "mybank.com" needs a certificate, they contact a certificate issuing authority who verifies who they are and then creates the certificate and a pair of keys. The certificate that they get contains more than information about them, it also contains information about who gave them the certificate and some encrypted information that can only be unencrypted with the public key ("B") of the issuer.
When you connect to "mybank.com" using an encrypted protocol (https, for example), you are handed the certificate as well as the public key. There are some gyrations to minimize the number of times that the private key is used to encrypt the information, but, generally, you know that you have a valid certificate and that "mybank.com" is really who they say they are because you can find the issuing authority information in your browser's list of trusted issuers.
Bad News
One of the trusted issuing authorities didn't do their job. Someone managed to get a "google.com" certificate issued to them and they were not google. That means that somewhere out there, you could connect to a gmail server, a google voice server or even a google affiliate login that will look completely legitimate and be sending your data to criminals.
Since the trust is built-in to your browser, the only fix is to remove that issuer from your list of trusted issuers. Firefox is already issuing an update to Firefox to remove them, but it won't fix the problem, completely. Microsoft and Apple have not announced update plans, yet.
Late News
The bad guys may have gotten more that "google.com" certificates. This makes simple fixes impossible.
Certificate Trust Fix
We can change your system-level certificate trust to minimize your exposure to this issue if you call us. 256-534-4620, press 1 for the tech team. If no one is in the office, we'll call you back as soon as we get your message!
