300,000 Iranians may have had their Gmail accounts monitored as a result of a fake Google certificate being created.
DigiNotar, is a Dutch company(CA), issues SSL certificates that ensure authentication and encryption in SSL-protected websites. However, a recent breach in DigiNotar’s system has been discovered. The company was found to have issued a certificate for the “google.com” domain this July, even as Google has not acquired a certificate from the company. Coupled with a “poisoned” DNS cache, a third party could then pretend they were “google.com” and obtain user accounts and passwords that way.Recently, an Iranian user uncovered a man-in-the-middle attack occurring with some of Google’s own security certificates for domains such as *.google.com. As it appears, some Iranian ISP may be involved in silently intercepting communications by Iranian citizens over the Internet by supplying a broken security certificate to them for securely accessing Google’s properties.
This compromised certificate has an issue date of July 10th, 2011 that means this has been going on for almost two months.
Now, A fresh analysis by Trend Micro suggests a spike in the number of compromised DigiNotar certificates being issued to the Islamic Republic.
DigiNotar itself reported that they were compromised on July 19, 2011, and several rogue SSL certificates had been issued including the one to *.google.com. All the other ones were revoked, but for some reason, DigiNotar missed revoking the one issued for Google’s domain. Why is this important? With the rogue certificate issued by a trusted CA, it’s possible to do Man-in-the-Middle attacks and listen in to any traffic going to Google’s services, such as Google Mail, Google Docs, Google Plus, and Google Apps, without any visible warnings to users.
Google is disabling access to DigiNotar certificates in Chrome. However, unknowing web users might still fall victim to so-called man-in-the-middle attacks, in which a third party pretends to be a certified website by using the fraudulent SSL certificate. Google has since updated Chrome, which is actually able to detect the fake certificate in the first place. Mozilla and Microsoft have likewise updated their Firefox and Internet Explorer browsers, respectively.
