Since a hacker used illegal access to Dutch SSL certificate authority Diginotar in July to create fake certificates for many domains, including Google.com, MITM (man in the middle) attacks have been made on Iranian citizens by impersonating secure connections to many popular sites. Crucially, no-one knows exactly how many certificates were falsely issued for other sites, if previous attacks using this method have gone unnoticed, or how many false SSL certificates are still out there.
Potentially exposing the data and log-in details of an unknown number of users of an unknown number of sites, the recent attack specifically targeted Iranian citizens by taking advantage of Iran’s government-controlled web infrastructure to place the certificates in-between users and their most trusted HTTPS ‘SSL’ secured sites.
After Diginotar detected an intrusion in July and revoked invalid certificates, Google Chrome’s extra checks were apparently the only reason the remaining bad certificates came to light. 247 were blacklisted by Chrome, thanks to the browsers unique ‘pinning’ feature, but Google were swift to point out that Chrome only protected visits to google.com, not to other sites. They said that as a result “…no one knows how many others are affected.”
Only adding to this internet paranoia nightmare, Diginotar themselves have stated that at least one fraudulent certificate had not been revoked at the time. Unsure of the extent to which their security has been compromised, Diginotar also temporarily suspended their issuing of SSL and EVSSL certificates.
What can an attacker do with a fake certificate? Essentially, they can impersonate any site they have a certificate for, and reroute traffic to them, while targeted users continue to be under the impression they are on a secure connection. This can only be accomplished by a ‘rogue’ ISP or government, within their realm of users.
There are several indicators that Iranian internet users remain at grave risk of unwanted and very dangerous surveillance. Firstly, the censored version of the internet available in Iran may make it hard or even impossible to know that this attack happened at all.
Secondly, the TOR project – used by millions around the globe to browse the web privately – was among the targeted sites. And finally, Iranian Mac OSX users are likely to find that a glitch prevents their browsers from revoking the false certificates.
How many Iranians have been imprisoned, tortured or jailed so far as a result? We’ll never know – and the worst thing about this situation is actually just how much we may never know.
How many more sites are still presenting false certificates, undiscovered? It would seem unlikely that the Iranian government is the only one using this tactic to uncover the thoughts and communications of those they deem a threat. Personal privacy online has received a deep wound that reaches to the core of society.
SSL certificates and that reassuring HTTPS in our browser address bars have seen their day; there is currently no such thing as a secure connection and until some new protocol is dreamt up and fully implemented, internet privacy is under threat.
Gez Hebburn Sept 2011
Gez loves to write about culture, society and technology. Blogging about the office with his shoes off, Gez got inspired by being invited to post on Sabrina Sabino and started trying to plan an all-inclusive holiday to the Seychelles in 2012… but lunch is winning in the battle for concentration. Cheese & Onion pasties or… Coco de Mer? This is the question…
Related posts:
WYSIWYG! I'm a simple person trying to live the simplest life possible - it seems to be the most difficult thing to achieve! I'm an internet enthusiast and I've been a webmaster since early 2007. I like: blogging, developing sites using open source software, social media, computer games, '80s music, comedy & horror, animals, crunching on M&Ms peanut and Smarties!
