Google users targeted by forged security certificate
Security researchers have discovered a forged internet security certificate designed to allow hackers to spy on Google users’ private emails and other communications.
The forgery was first reported by an Iranian web user, which has raised fears it may be part of efforts by the government in Tehran to monitor dissidents.
The “man in the middle” attack also further undermines general confidence in the Secure Sockets Layer (SSL), a security protocol used to authenticate all kinds of sensitive internet traffic, including online banking. SSL certificates are meant to act as an independent third party to verify that communication between a website and a browser are secure.
The forgery was issued to the unknown attackers on 10 July by DigiNotar, a Dutch SSL certificate authority. For more than two months it would have allowed them to set up fake versions of Google websites that appeared genuine to users and their web browsers.
This would in turn have allowed the hackers to collect usernames and passwords for their targets’ genuine Google accounts. The forged certificate was valid for google.com and all its sub-domains, including mail.google.com.
“Today, when I tried to login to my Gmail account I saw a certificate warning in Chrome,” said alibo, a Google user who said he was in Iran and was first to report the attack.
Chrome has details of Google’s genuine security certificates built-in, so it was able to detect the forgery when a fake website presented it to alibo's browser.
“I think my ISP or my government did this attack,” he added.
The Electronic Frontier Foundation, a digital rights group based in San Francisco, said the incident demonstrated fundamental problems with SSL and the dozens of authorities such as DigiNotar that are trusted to issue certificates.
“The certificate authority system was created decades ago in an era when the biggest on-line security concern was thought to be protecting users from having their credit card numbers intercepted by petty criminals,” the EFF said.
“Today internet users rely on this system to protect their privacy against nation-states. We doubt it can bear this burden.”
In a similar incident earlier this year systems at Comodo, another certificate authority, were found to have been hacked and forced to issue forged certificates for Google, Microsoft, Skype and Yahoo! services. The firm said evidence indicated its attackers were based in Iran.
It is unclear how DigiNotar’s attackers persuaded it to issue the forged google.com certificate, and the firm has not commented. The major browser makers – Google, Microsoft and Mozilla – all said they would use software patches to revoke the firm’s authority to issue SSL certificates.
Google said in a statement: "We're pleased that the security measures in Chrome protected the user and brought this attack to the public's attention.
"While we investigate, we plan to block any sites whose certificates were signed by DigiNotar."