Rogue Google certs used to spy on Iranian communications
A computer security firm claims to have "proof" that Iranians were the targets of the recent compromise of Dutch certification authority DigiNotar.
Trend Micro said the rogue SSL certificates, which can allow the interception of supposedly secure communications like email, were used for spying on Iranian Internet users on a large scale.
“We found that Internet users in more than 40 different networks of ISPs and universities in Iran were confronted with rogue SSL certificates issued by DigiNotar. Even worse: we found evidence that some Iranians who used software designed to circumvent censorship and snooping on traffic were not protected against the massive man-in-the-middle attack," it said in a blog post.
Last July, hackers managed to create rogue SSL certificates for hundreds of domain names, including google.com and even the entire .com top level domain by breaking into systems of Certification Authority DigiNotar in the Netherlands.
Such rogue SSL certificates can be used in man-in-the-middle attacks where encrypted secure web traffic can be read by a third party. The rogue certificates were discovered Aug. 29.
Trend Micro cited data that its Trend Micro Smart Protection Network collected over time and analyzed.
Its analysis includes what domain names are accessed from what parts of the world at what time.
For the domain validation.diginotar.nl, it saw a “very remarkable pattern" where it was mostly loaded by Dutch and Iranian Internet users until August 30, 2011.
Domain name validation.diginotar.nl is used by Internet browsers to check the authenticity of SSL certificates that are issued by DigiNotar.
“DigiNotar is a small Dutch Certification Authority with customers mainly in the Netherlands. We therefore expect that this domain name is requested by mostly Dutch Internet users and perhaps a handful of users from other countries. Not by a lot of Iranians," it said.
On Aug. 28, Trend Micro noted “a significant part" of Internet users who loaded the SSL certificate verification URL of DigiNotar were from Iran.
But on Aug. 30, most traffic from Iran disappeared and on September 2, 2011 about all of the Iranian traffic was gone and DigiNotar received mostly Dutch Internet users, as expected.
“These aggregated statistics from Trend Micro Smart Protection Network clearly indicates that Iranian Internet users were exposed to a large scale man-in-the-middle attack, where SSL encrypted traffic can be decrypted by a third party," Trend Micro said.
It said this could mean a third party probably was able to read all e-mail communication an Iranian Internet user has sent with his Gmail account.
Even more alarming was that outgoing proxy nodes in the US of anti-censorship software made in California were sending web rating requests for validation.diginotar.nl to the cloud servers of Trend Micro.
“Very likely this means that Iranian citizens, who were using this anti censorship software, were victims of the same man-in-the-middle attack. Their anti-censorship software should have protected them, but in reality their encrypted communications were probably snooped on by a third party," it said. — TJD, GMA News
Re: Rogue Google certs used to spy on Iranian communications
Very good find bro, I'll vote up the post the moment I login from BG full.
By SadIkMahdI in forum Tech News
Last Post: August 12th, 2011, 15:38
By abir in forum General PC Gaming
Last Post: May 22nd, 2010, 16:07
By Upal-de-choosen1™ in forum News
Last Post: December 22nd, 2009, 22:41
By KinG SRS in forum Member Central
Last Post: May 1st, 2009, 22:08
By kabir_sharif2000 in forum DotA Talk
Last Post: September 18th, 2008, 18:15
Tags for this Thread
Page generated in 0.16161 seconds with 14 queries.