UPDATE 8/31/11: According to a report in SoftPedia, Dutch SSL certificate authority (CA) DigiNotar may have issued hundreds of rogue digital certificates aside from the Google certificate discovered earlier this week (below).
"This should render all certs signed by DigiNotar untrusted, but Chrome's hardcoded certificate blacklist actually increased by 247 entries. What do these represent? 'Bad DigiNotar leaf certificates for non-Google sites,' according to code comments left by the developers," SoftPedia reports.
"It's hard to believe that the DigiNotar hackers issued 247 rogue certificates, because that would mean that a large number of websites have been targeted by whoever ordered this attack. It might, however, be true. When a Comodo reseller was hacked back in March and its infrastructure was used to issue rogue certs for Google, Hotmail, Yahoo and other sites, Chrome's blacklist increased with just 10 certs. The high number might also explain why DigiNotar missed one."
* * *
A falsely issued Google SSL certificate has been discovered, and reports indicate that it may be part of a ploy by the Iranian government to perform Man-in-the-Middle (MitM) attacks.
Digital certificates are used by internet browsers to recognized legitimate websites and protect surfers from inadvertently exposing themselves to malware, phishing scams, impostors and spoofed landing sites.
(Click image to enlarge)
The certificate was discovered by Ali Borhani, an Iranian freelance web developer, and was revealed in a Gmail help forum.
Borhani posted the following about the certificate:
Today, when I trid [sic] to login to my Gmail account I saw a certificate warning in Chrome. I took a screenshot and I saved certificate to a file . This is the certificate file with screenshot in a zip file:
and this is text of decoded fake certificate:
When I used a vpn I didn't see any warning ! I think my ISP or my government did this attack (because I live in Iran and you may hear something about the story of Comodo hacker!)
The certificates are issued by only a handful of companies known as Certificate Authorities, such as VeriSign, GoDaddy, and the recently compromised Comodo.
In March, Comodo publicly accused Iranian hackers of fraudulently obtaining digital certificates from one of the company's Registration Authorities in Europe.
Google's Heather Adkins posted the following blog on the newly discovered certificate:
Today we received reports of attempted SSL man-in-the-middle (MITM) attacks against Google users, whereby someone tried to get between them and encrypted Google services. The people affected were primarily located in Iran. The attacker used a fraudulent SSL certificate issued by DigiNotar, a root certificate authority that should not issue certificates for Google (and has since revoked it).
Google Chrome users were protected from this attack because Chrome was able to detect the fraudulent certificate.
To further protect the safety and privacy of our users, we plan to disable the DigiNotar certificate authority in Chrome while investigations continue. Mozilla also moved quickly to protect its users. This means that Chrome and Firefox users will receive alerts if they try to visit websites that use DigiNotar certificates.
To help deter unwanted surveillance, we recommend that users, especially those in Iran, keep their web browsers and operating systems up to date and pay attention to web browser security warnings.
The certificate was issued on July 10th by Dutch SSL certificate authority (CA) DigiNotar, which revoked the certificate upon news of the possible exploit. the problem is that the certificate may still be in use, and many browsers do not check for a revoked status.
Security experts agree that the issue comes down to accountability, and that CA's face no serious repercussions for a lack of due diligence in the issuing of digital certificates.
The lack of accountability in the industry could lead to the issuing of certificates that present criminal enterprises with the opportunity to conduct large scale targeted cyber attacks that threaten businesses and their clientele.
An improperly issued digital certificate for an unqualified domain name would allow an attacker to conduct exploits accompanied by validly signed and authenticated certificates.
Attempts to improve SSL security by internet browser providers is thwarted by the fact that blacklisting the root certificates for companies that have a record of issuing bad certificates would mean also blocking access to all the websites who have obtained valid certificates from the same companies.
The Iranian government could be interested in using MitM attacks to monitor Internet usage, redirect dissident web surfers, and collect intelligence on opposition factions.
A MitM attack takes a request for an HTTPS encrypted site and inserts and intermediary website in the process while creating the encrypted link with the target system while still being able to monitor the data transferred before it is encrypted.