Dutch root Certificate Authority ‘DigiNotar’ Compromised: Fraudulent certificates were issued

300,000 Iranians may have had their Gmail accounts monitored as a result of a fake Google certificate being created.

DigiNotar, is a Dutch company(CA), issues SSL certificates that ensure authentication and encryption in SSL-protected websites. However, a recent breach in DigiNotar’s system has been discovered. The company was found to have issued a certificate for the “google.com” domain this July, even as Google has not acquired a certificate from the company. Coupled with a “poisoned” DNS cache, a third party could then pretend they were “google.com” and obtain user accounts and passwords that way.

  

Recently, an Iranian user uncovered a man-in-the-middle attack occurring with some of Google’s own security certificates for domains such as *.google.com. As it appears, some Iranian ISP may be involved in silently intercepting communications by Iranian citizens over the Internet by supplying a broken security certificate to them for securely accessing Google’s properties.

This compromised certificate has an issue date of July 10^th, 2011 that means this has been going on for almost two months.

Now, A fresh analysis by Trend Micro suggests a spike in the number of compromised DigiNotar certificates being issued to the Islamic Republic. 

DigiNotar itself reported that they were compromised on July 19, 2011, and several rogue SSL certificates had been issued including the one to *.google.com. All the other ones were revoked, but for some reason, DigiNotar missed revoking the one issued for Google’s domain. Why is this important? With the rogue certificate issued by a trusted CA, it’s possible to do Man-in-the-Middle attacks and listen in to any traffic going to Google’s services, such as Google Mail, Google Docs, Google Plus, and Google Apps, without any visible warnings to users.

Google is disabling access to DigiNotar certificates in Chrome. However, unknowing web users might still fall victim to so-called man-in-the-middle attacks, in which a third party pretends to be a certified website by using the fraudulent SSL certificate. Google has since updated Chrome, which is actually able to detect the fake certificate in the first place. Mozilla and Microsoft have likewise updated their Firefox and Internet Explorer browsers, respectively.

As September 5th, here’s the list of known domains that the attacker managed to create fake certificates for:

*.*.com
*.*.org
*.10million.org
*.android.com
*.aol.com
*.azadegi.com
*.balatarin.com
*.comodo.com
*.digicert.com
*.globalsign.com
*.google.com
*.JanamFadayeRahbar.com
*.logmein.com
*.microsoft.com
*.mossad.gov.il
*.mozilla.org
*.RamzShekaneBozorg.com
*.SahebeDonyayeDigital.com
*.skype.com
*.startssl.com
*.thawte.com
*.torproject.org
*.walla.co.il
*.windowsupdate.com
*.wordpress.com
addons.mozilla.org
azadegi.com
friends.walla.co.il
login.live.com
login.yahoo.com
my.screenname.aol.com
secure.logmein.com
twitter.com
wordpress.com
www.10million.org
www.balatarin.com
www.cia.gov
www.cybertrust.com
www.Equifax.com
www.facebook.com
www.globalsign.com
www.google.com
www.hamdami.com
www.mossad.gov.il
www.sis.gov.uk
www.update.microsoft.com

In addition, the attacker created rogue certificates for these names:

Comodo Root CA
CyberTrust Root CA
DigiCert Root CA
DigiCert Root CA
Equifax Root CA
Equifax Root CA
GlobalSign Root CA
Thawte Root CA
VeriSign Root CA

Like US on
facebook
Twitter
Thank ‘U’