Latest Tech News - Google users in Iran targeted in SSL spoof
Results 1 to 1 of 1
  1. #1
    SuperMod
    vis~as's Avatar
    Member InfoShowcaseActivity StatusThanks / Tagging Info
    join date|Join Date
    Sep 2006
    post count|Posts
    8,928
    reputation|Rep Power
    249

    Latest Tech News - Google users in Iran targeted in SSL spoof

    For an unknown period of time this weekend, Gmail users in Iran who tried to access their accounts were at risk of having their log-in credentials stolen, after someone broke into a Dutch company to steal the digital equivalent of an identification card for Google.com.

    "The people affected were primarily located in Iran," Google said in a post late last night. "The attacker used a fraudulent [Secure Sockets Layer] certificate issued by DigiNotar, a root certificate authority that should not issue certificates for Google [and that has since revoked it]."

    The problem surfaced yesterday after someone reported it on a Google support site on Sunday.

    Asked how many Google users were affected, a Google representative said: "It's always difficult to know such details for a man-in-the-middle attack. We're investigating. But note [that] this was not just an attack on Google users; lots of other sites also had fraudulent certificates issued. It's only because of the innovative 'pinning' feature built into Chrome that the attack was uncovered. That feature currently only protects visits to google.com, not other sites. So no one knows how many others are affected."

    Regarding whether any log-in credentials had been successfully stolen in the attack, the representative said Google is still investigating.

    DigiNotar detected an intrusion into its Certificate Authority infrastructure on July 19, the company said in a statement.

    During the intrusion, someone issued fraudulent certificate requests "for a number of domains," but DigiNotar revoked them, the company said. "Recently, it was discovered that at least one fraudulent certificate had not been revoked at the time," the statement said, adding that the company is temporarily suspending the sale of its SSL and EVSSL (Extended Validation SSL) certificate offerings.

    DigiNotar representatives did not respond to an e-mail seeking an interview, but a spokesman told IDG News Service that the intruder had created fraudulent certificates for several dozen Web sites, and that the certificate for Google.com was issued July 10 and had gone live on Sunday.

    It remains unclear who is behind the attack.

    "What can you do with such a certificate? Well, you can impersonate Google--assuming you can first reroute Internet traffic for google.com to you," Mikko Hypponen, chief research officer at security firm F-Secure, wrote in a blog post today. "This is something that can be done by a government or by a rogue ISP. Such a reroute would only affect users within that country or under that ISP."

    "To help deter unwanted surveillance, we recommend that users, especially those in Iran, keep their Web browsers and operating systems up-to-date and pay attention to Web browser security warnings," the Google blog said.

    Hypponen was critical of DigiNotar over the matter, saying his firm had uncovered three defaced Web pages on DigiNotar sites, including two in which Iranian hackers took credit or were referenced. The sites were defaced years ago and were still up today, he said.

    "Didn't DigiNotar think it's a tad weird that Google would suddenly renew their SSL certificate, and decide to do it with a midsized Dutch CA (certificate authority}, of all places?" he wrote in the blog post. "And when DigiNotar was auditing their systems after the breach, how on earth did they miss the Iranian defacement discussed above?"

    Browsers to the rescue

    Google Chrome users were protected from the attack because the browser detected that the certificate was fraudulent. Google said it planned to disable the DigiNotar certificate authority in Chrome while investigations continue. Mozilla also said it was releasing new versions of Firefox to revoke trust in the DigiNotar root, so Chrome and Firefox users will see warnings, if they visit Web sites that use DigiNotar certificates.

    Microsoft also said it had removed the DigiNotar root certificate from the Microsoft Certificate Trust List, so Windows users would see an invalid certificate error message when browsing to a Web site or trying to install programs signed by the DigiNotar root certificate.

    Meanwhile, Hypponen noted that security consultant S. Hamid Kashfi, who tweeted about the attack involving the fraudulent google.com digital certificate on Sunday, wrote about such attacks involving Iran in a blog post (translation here) last year.

    This isn't the first time digital certificates--used by Web sites to prove to browsers that they are legitimate--have been issued fraudulently, and it won't be the last. That's because the underlying structure for Web site authentication, in which more than 600 companies are entrusted to sell proof of authentication--called "digital certificates"--is flawed. The certificates are supposed to serve as proof that a Web site is the site it claims to be when a Web surfer uses an "https" connection. But the many companies providing the certificates have differing levels of security and no standard process for automatically revoking fraudulent certificates.

    In March, spoofed certificates were found involving Google, Yahoo, Microsoft, and other major sites that were acquired through reseller partners of certificate authority Comodo. They were traced to Iran through Internet Protocol addresses, and a 21-year-old Iranian patriot claimed credit for the attack, which he characterized as a protest of U.S. foreign policy.

    "The SSL 'race to the bottom' CA model is broken. Fraudulent certificates have been issued before, even without breaching a CA's systems," Johannes B. Ullrich, dean of research at the SANS Technology Institute, wrote in a blog post today. "But what can you do to replace or re-enforce SSL?"

    DNSSEC (Domain Name System Security) can provide another way to validate that a site is legitimate, but it is not perfect, either, he said. In addition, there are browser plug-ins that implement reputation systems. One plug-in that has gained traction is Convergence, which works with Firefox and which compares the certificate with other certificates received from the same site, he said.





    Powered By WizardRSS.com | Full Text RSS Feed | Amazon Plugin | Settlement Statement | WordPress Tutorials

  2. # 1a
    India
    Latest Tech News - Google users in Iran targeted in SSL spoof

    Join Date
    Jan 2009
    Posts
    192
     

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Latest Tech News - AT&T punches up targeted ad business
    By vis~as in forum Technology News, Updates & Reviews
    Replies: 0
    Last Post: 25th August 2011, 21:06
  2. Latest Tech News - Google+ pins 'verification badges' on users
    By vis~as in forum Technology News, Updates & Reviews
    Replies: 0
    Last Post: 20th August 2011, 19:13
  3. Latest Tech News - Study: Android users sad hicks, iPhone users rich girls
    By vis~as in forum Technology News, Updates & Reviews
    Replies: 0
    Last Post: 16th August 2011, 08:38
  4. Latest Tech News - Google+ speeds to 25 million users in first month
    By vis~as in forum Technology News, Updates & Reviews
    Replies: 0
    Last Post: 3rd August 2011, 14:25
  5. Latest Tech News - Google+ will let users conceal gender
    By vis~as in forum Technology News, Updates & Reviews
    Replies: 0
    Last Post: 13th July 2011, 08:54

User Tag List

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •