Google users targeted by forged security certificate
Security researchers have discovered a forged internet security certificate designed to allow hackers to spy on Google users' private emails and other communications.
DigiNotar issued the forged SSL certificate
By Christopher Williams, Technology Correspondent
12:27PM BST 30 Aug 2011
The forgery was first reported by an Iranian web user, which has raised fears it may be part of efforts by the government in Tehran to monitor dissidents.
The "man in the middle" attack also further undermines general confidence in the Secure Sockets Layer (SSL), a security protocol used to authenticate all kinds of sensitive internet traffic, including online banking. SSL certificates are meant to act as an independent third party to verify that communication between a website and a browser are secure.
The forgery was issued to the unknown attackers on 10 July by DigiNotar, a Dutch SSL certificate authority. For more than two months it would have allowed them to set up fake versions of Google websites that appeared genuine to users and their web browsers.
This would in turn have allowed the hackers to collect usernames and passwords for their targets' genuine Google accounts. The forged certificate was valid for google.com and all its sub-domains, including mail.google.com.
"Today, when I tried to login to my Gmail account I saw a certificate warning in Chrome," said alibo, a Google user who said he was in Iran and was first to report the attack.
- Twitter's new move to beat hackers 17 Mar 2011
- Iranian 'claims Stuxnet revenge' 28 Mar 2011
- 'Western powers and Israel' launched Iran cyber attack 21 Jan 2011
Chrome has details of Google's genuine security certificates built-in, so it was able to detect the forgery when a fake website presented it to alibo's browser.
"I think my ISP or my government did this attack," he added.
The Electronic Frontier Foundation, a digital rights group based in San Francisco, said the incident demonstrated fundamental problems with SSL and the dozens of authorities such as DigiNotar that are trusted to issue certificates.
"The certificate authority system was created decades ago in an era when the biggest on-line security concern was thought to be protecting users from having their credit card numbers intercepted by petty criminals," the EFF said.
"Today internet users rely on this system to protect their privacy against nation-states. We doubt it can bear this burden."
In a similar incident earlier this year systems at Comodo, another certificate authority, were found to have been hacked and forced to issue forged certificates for Google, Microsoft, Skype and Yahoo! services. The firm said evidence indicated its attackers were based in Iran.
Today Vasco, DigiNotar's parent company, admittred in a statement that it had also been hacked, and that it issued more than one forged certificate as a result.
"On July 19th 2011, DigiNotar detected an intrusion into its certificate authority infrastructure, which resulted in the fraudulent issuance of public key certificate requests for a number of domains, including Google.com," it said.
"At that time, an external security audit concluded that all fraudulently issued certificates were revoked. Recently, it was discovered that at least one fraudulent certificate had not been revoked at the time."
The major browser makers – Google, Microsoft and Mozilla – all said they would use software patches to revoke the DigiNotar's authority to issue SSL certificates in future.
Google said in a statement: "We're pleased that the security measures in Chrome protected the user and brought this attack to the public's attention.
"While we investigate, we plan to block any sites whose certificates were signed by DigiNotar."
Fun stuff to read, tell and watch:
Now FREE to watch all 91 minutes: "Defamation," from Israeli filmmaker Yoav Shamir. LINK: http://tinyurl.com/3rvhdvc
Some of His Best Friends Are Jewish: The Saga of a Holocaust Revisionist By Nathaniel Popper. Link: http://tinyurl.com/3v6m88c
...an Israeli lawyer has filed a class-action lawsuit against former President Jimmy Carter, seeking $5 million in damages because his book "Palestine: Peace Not Apartheid" allegedly defamed Israel. Link: http://tinyurl.com/3pltqg2
"...when you have laws against questioning the Holocaust narrative, you are screaming at the other person to stop thinking!!!" ---Mike Santomauro. *Anthony Lawson's Holocaust Video "were the Germans so stupid"... Link: http://tinyurl.com/44nsrco
An anti-Semite condemns people for being Jews, I am not an anti-Semite.--Mike Santomauro. Link: http://tinyurl.com/42z9p8o
Start reading DEBATING THE HOLOCAUST in under a minute: http://tinyurl.com/3f8h874
Call anytime: 917-974-6367
Messages in this topic (1)