August 30, 2011
Fake Google SSL Certificates Putting Political Dissidents In Danger
Iranian internet users and others are believed to be at risk from a fake web certificate that could let hackers steal passwords and data from apparently secure connections to Google sites such as Gmail, CNET is reporting.
The rogue SSL certificate is used to digitally “sign” HTTPS connections to any Google site and was issued by a Dutch company called DigiNotar on July 10. In particular, political dissidents who put their trust in Google´s systems for their security may have been targeted in the attack.
DigiNotar does not have any direct business relationship with Google but has not said who the certificate was issued to. The results, however, would be that someone could think they were logged securely into a Google site and that their communication would be encrypted.
Hackers controlling the network could have access to all their keystrokes, including passwords. This is known as a “man in the middle” (MITM) attack. The digital certificate has been verified, by CNET, as fraudulent.
A Google spokesman provided CNET with this statement, “A Chrome security feature warned the user of the invalid certificate and blocked them from visiting the attacker´s site. We´re pleased that the security measures in Chrome protected the user and brought this attack to the public´s attention. While we investigate, we plan to block any sites whose certificates were signed by DigiNotar.”
This marks the second time in five months that rogue SSL certificates have been discovered. In March, hackers cracked the systems used by the web certification company RSA and created a number of new, valid certificates for Google and for six other domains through a certification company called Comodo, The Guardian reports.
The rogue certificates were in use for eight days before being revoked from major browsers, and were available longer for email programs.
These and similar incidents have created growing concern among security researchers about the levels of trust that can be placed in SSL certification. The March hack against Comodo is thought to have been carried out by an Iranian team.
Moxie Marlinspike, chief technology officer of mobile security firm Whisper Systems and an expert on Internet authentication infrastructure, warned against jumping to conclusions about who might be behind the attacks.
“Clearly something is amiss. There´s a rogue certificate for all of Google services in the wild,” he told CNET. “Of course many people are quick to claim that the state of Iran is responsible for all this but I think it´s probably too soon to draw that conclusion. There doesn´t seem to be any specific evidence.”
“These situations happen all the time, and rather than point fingers, the industry should fix the underlying problem,” Merlinspike said. In the meantime, individual web surfers can protect themselves by using a Firefox plug-in Marlinspike developed called Convergence. “My hope is that this will be integrated into web browsers themselves” in the future, he said.
The Electronic Frontier Foundation (EFF) explained, “The certificate authority system was created decades ago in an era when the biggest online security concern was thought to be protecting users from having their credit card numbers intercepted by petty criminals. Today, internet users rely on this system to protect their privacy against nation states. We doubt it can bear this burden.”
On the Net: