Fraudulent Google certificate points to Internet attack Based in Iran

Discussion in 'News And Current Events' started by iraniam, Aug 29, 2011.

  1. iraniam Member

    This screenshot shows the warning the user reportedly got when attempting to log in to Gmail.

    A Dutch company appears to have issued a digital certificate for to someone other than Google, who may be using it to try to re-direct traffic of users based in Iran.
    Yesterday, someone reported on a Google support site that when attempting to log in to Gmail the browser issued a warning for the digital certificate used as proof that the site is legitimate, according to this thread on a Google support forum site.
    "Today, when I tried to login to my Gmail account I saw a certificate warning in Chrome," someone using the screen name "alibo" wrote. "I think my ISP or my government did this attack (because I live in Iran and you may hear something about the story of Comodo hacker!)" Alibo then posted a screenshot and the text of the certificate. The screenshot page was not accessible.
    In this case the browser of the person reporting the problem warned that there was a problem with the digital certificate. However, it's unclear what triggered the warning and other browsers may not. In that event, a user could end up on a site that purports to be but isn't.
    CNET verified that the digital certificate is fraudulent. This Pastebin post details how to verify that a certificate is real and notes that it was issued in July. More information on how to mitigate the risk from the DigiNotar certificate is provided on this Facebook page from Ryan Hurst, manager of advertising security engineering at Microsoft.
    A Google spokesman provided CNET with this statement: "A Chrome security feature warned the user of the invalid certificate and blocked them from visiting the attacker's site. We're pleased that the security measures in Chrome protected the user and brought this attack to the public's attention. While we investigate, we plan to block any sites whose certificates were signed by DigiNotar."
    Mozilla said in a blog post that it was "Because the extent of the mis-issuance is not clear, we are releasing new versions of Firefox... shortly that will revoke trust in the DigiNotar root and protect users from this attack. We encourage all users to keep their software up-to-date by regularly applying security updates. Users can also manually disable the DigiNotar root through the Firefox preferences."
    The certificate was issued by DigiNotar, based in the Netherlands. Representatives from the company did not immediately respond to an e-mail seeking comment today and an automated message said the offices were closed for the night and offered no voice-mail option. A phone call and e-mail to Vasco Data Security, parent company of DigiNotar, were not immediately returned.
    The situation is similar to one that happened in March in which spoofed certificates were found involving Google, Yahoo, Microsoft, and other major sites and they used Internet Protocol addresses in Iran. In that case, the fraudulent digital certificates were acquired through reseller partners of certificate authority Comodo and a 21-year-old Iranian patriot took credit for the attack, saying he was protesting U.S. foreign policy.
    Moxie Marlinspike, chief technology officer of mobile security firm Whisper Systems and an expert on Internet authentication infrastructure, warned against jumping to conclusions about who is behind the attack.
    "Clearly something is amiss. There's a rogue cert for all of Google services in the wild," he told CNET. "Of course many people are quick to claim that the state of Iran is responsible for all this but I think it's probably too soon to draw that conclusion. There doesn't seem to be any specific evidence."
    These situations happen all the time, and rather than point fingers, the industry should fix the underlying problem, he said. In the meantime, individual Web surfers can protect themselves by using a Firefox plug-in Marlinspike developed called Convergence. "My hope is that this will be integrated into Web browsers themselves" in the future, he said.
    These attacks illustrate a fundamental weakness with the current Web site authentication system in which third parties issue certificates that prove that a Web site is legitimate when making an "https://" connection. The list of certificate issuers has ballooned over the years to approximately 650 organizations, which may not always follow the strictest security procedures. And each one has a copy of the Web's master keys. There is no automated process to revoke fraudulent certificates, nor is there a public list of certificates that companies like Comodo have issued, or even which of its resellers or partners have been given a duplicate set of the master keys. And there are no mechanisms to prevent fraudulent certificates for Yahoo Mail or Gmail from being issued by compromised companies, or repressive regimes bent on surveillance.
    Today's system gives browser makers tremendous responsibility. Any list of so-called certificate authorities they include will be trusted by billions of Web browsers around the world, unless users take the time to change the settings.
    "I expect this type of attack to become somewhat commonplace in time," said Roel Schouwenberg, senior researcher at Kaspersky Lab. "And in this case we may be looking at a double whammy - not only does SSL suffer yet another blow, we may also be looking at a serious compromise within Vasco. The latter could have a very significant impact."
    Update at 3:36 p.m. PT with Mozilla comment and mitigation information from Microsoft representative and 3:27 p.m. PT with comment from Google, Marlinspike and Schouwenberg and 1:45 p.m. PT: Added details about the browser warning, and about CNET attempts to reach Vasco Data Security.
    CNET's Declan McCullagh contributed to this report.

    Read more:
    • Like Like x 1
  2. Anonymous Member


  3. Anonymous Member

  4. Anonymous Member

  5. iraniam Member

    Security researchers are warning a web certificate is being used that could let hackers steal passwords and data from apparently secure connections to Google sites such as Gmail.

    Internet users in Iran are believed to be at particular risk from the rogue SSL certificate, which is used to digitally "sign" HTTPS connections to any site and was issued by a Dutch company called DigiNotar on 10 July. In particular, dissidents who trust Google's systems for their security may have been targeted in the attack.

    DigiNotar – which does not have any direct business relationship with Google – has not said who the certificate was issued to, but the effect would be that someone could think they were logged securely into a site and that their communication would be encrypted; but instead attackers controlling the network could eavesdrop on all their keystrokes, including passwords. This is known as a "man in the middle", or "MITM", attack.

    The first person to have noticed the rogue certificate appears to be an Iranian user, who posted about it on a Google support forum, asking whether it was an MITM attack. The problem was observed on multiple internet service providers, leading to concerns the government there might be using it to monitor dissidents and steal login details.

    The user also noted that connections to seemed to take a longer path than connections to, and The certificate did not seem to be in constant use: "I see this fake certificate only 30 minutes or one hour per day maybe they just test how sniff their users!", wrote the discoverer.

    Microsoft on Monday night removed the certificate from its list of allowed certificates with its browsers. That should mean users would get an "invalid certificate" warning if they try to log in to a Google site that presents the rogue certificate, in which case they should reject the connection.

    The discovery marks the second time in five months that rogue SSL certificates have been discovered circulating in the wild. In March, hackers cracked the systems used by the web certification company RSA and created a number of new, valid certificates for Google and for six other domains through a certification company called Comodo. The rogue certificates were in use for eight days before being revoked from major browsers, and longer for email programs.

    Both incidents have created growing concern among security researchers about the levels of trust that can be placed in SSL certification, which is used to create a "web of trust" in which certification companies can authorise multiple sites so that users can trust that their communications are untapped. The March hack against Comodo is thought to have been carried out by an Iranian team.

    The key weakness in the web certification system is that any company authorised to issue certificates can issue one that almost every browser will trust as being valid against any web property. Thus a DigiNotar certificate for would be trusted by almost every browser, even if a hacking attack meant it had been issued to someone who was not working for Google.

    "How many more DigiNotar-issued fake certificates are out there that nobody has noticed?" said Mikko Hypponen, chief research officer at the Finnish security company F-Secure.

    Users of the latest version of Google's Chrome browser would have been safe from the attack in the past month because it uses a system called "pinning", in which it rejects certificates from all but a limited number of companies, which does not include DigiNotar. However, the DigiNotar certificate was issued on 10 July, and the version of Chrome that would reject its certificate did not appear until 10 August, leaving a crucial window during which users have been vulnerable to attack.

    The Electronic Frontier Foundation said: "The certificate authority system was created decades ago in an era when the biggest online security concern was thought to be protecting users from having their credit card numbers intercepted by petty criminals. Today, internet users rely on this system to protect their privacy against nation states. We doubt it can bear this burden."

    The EFF says certification authorities "have been caught issuing fraudulent certificates in at least half a dozen high-profile cases in the past two years" but that the concern over the latest is that it might have been used to spy on any number of Iranian users.
    • Like Like x 1
  6. To use Google GMAIL,one would have to be a fucking idiot!
  7. DeathHamster Member

Share This Page

Customize Theme Colors


Choose a color via Color picker or click the predefined style names!

Primary Color :

Secondary Color :
Predefined Skins