Dutch firm linked to many more fraudulent Net certificates

Domains for which fraudulent security certificates were issued includes CIA, MI6, Facebook, Microsoft, Skype, and Twitter. Spying on Iranian dissidents may have been the hackers' goal.

Steven Musil Night Editor / News
Steven Musil is the night news editor at CNET News. He's been hooked on tech since learning BASIC in the late '70s. When not cleaning up after his daughter and son, Steven can be found pedaling around the San Francisco Bay Area. Before joining CNET in 2000, Steven spent 10 years at various Bay Area newspapers.
Expertise I have more than 30 years' experience in journalism in the heart of the Silicon Valley.
Steven Musil
4 min read

The number of fraudulent security certificates issued by a hacked Dutch firm has ballooned from the 247 reported last week to 531, and the main purpose of the attack appears to have been to spy on Iranian dissidents.

The list of domains for which fraudulent Secure Sockets Layer (SSL) certificates were issued by DigiNotar, a root certificate authority, now includes sites such as the CIA, MI6, Facebook, Microsoft, Skype, Twitter, and WordPress, among others, according to a list released this weekend by the Dutch Ministry of Justice. In the wake of the new revelations, the Dutch government has reportedly expressed a lack of confidence in the Netherlands-based company and taken control of it.

DigiNotar representatives did not respond to a request for comment.

The intrusion was revealed late last month when Google said Gmail users in Iran were at risk of having their log-in credentials stolen after someone broke into DigiNotar to steal the digital equivalent of an identification card for Google.com. The problem first surfaced on a Google support site on August 28. However, DigiNotar only acknowledged last week that it had detected an intrusion into its Certificate Authority infrastructure on July 19.

Related stories:
Google users in Iran targeted in SSL spoof
Fraudulent Google certificate points to Internet attack
Comodo hack may reshape browser security
Hackers exploit chink in Web's armor

During the intrusion, someone issued fraudulent certificate requests "for a number of domains," but DigiNotar said earlier--when the list of affected domains was smaller--that it had revoked them. A fraudulent certificate allows someone to impersonate the secure versions of those Web sites--the ones that are used when encrypted connections are enabled--in some circumstances.

The Gmail incident affected mostly Iranian users, and it now appears the certificates might have been issued for the purpose of spying on Iranian dissidents, perhaps by the Iranian government. The Tor Project's Jacob Appelbaum, who published the list of affected domains, notes that one domain certificate on the list is "a calling card from a Farsi speaker," the language spoken by most Iranians:

CN=*.RamzShekaneBozorg.com,SN=PK000229200006593,OU=Sare Toro Ham Mishkanam,L=Tehran,O=Hameye Ramzaro Mishkanam,C=IR

RamzShekaneBozorg.com is a bogus address, and Appelbaum reported that "RamzShekaneBozorg" translates from Farsi to "great cracker," while "Hameyeh Ramzaro Mishkanam" translates to "I will crack all encryption" and "Sare Toro Ham Mishkanam" translates to "i hate/break your head."

Ot van Daalen, director of Bits of Freedom, a Dutch group that defends digital privacy rights, said the hacking put Iranian dissidents "at grave risk."

"It's horrible to say, but it's entirely possible that the hacking attack has endangered lives in Iran," Van Daalen told Radio Netherlands Worldwide."There is a real chance that the Iranian authorities have used these certificates to eavesdrop on users. And it can't be ruled out they will continue doing so with other certificates."

Appelbaum, who noted that DigiNotar's audit trail is incomplete, said the list includes certificate authority (CA) roots that should probably never be trusted again.

"The most egregious certs issued were for *.*.com and *.*.org while certificates for Windows Update and certificates for other hosts are of limited harm by comparison," Appelbaum wrote in a Tor Project post. "The attackers also issued certificates in the names of other certificate authorities such as 'VeriSign Root CA' and 'Thawte Root CA' as we witnessed with ComodoGate, although we cannot determine whether they succeeded in creating any intermediate CA certs."

The latest versions of Internet Explorer, Chrome, and Firefox have revoked trust in DigiNotar certificates, and users will see warnings if they visit Web sites that use that root authority's certificates.

This is the second time this year that the Iranian government has been linked to attempts to obtain fraudulent certificates to impersonate major Web sites. Comodo, a Jersey City, N.J.-based firm that issues digital certificates, said in March the nine certificates were fraudulently obtained. The Internet Protocol addresses used in the attack were in Tehran, Iran, said Comodo, which said that because of the focus and speed of the attack, it was "state-driven."

Kaspersky Lab's Roel Schouwenberg wrote in a blog post that the DigiNotar attack may prove to be more of a watershed moment than Stuxnet, a worm code discovered last year that is widely believed to have been designed to sabotage a uranium enrichment facility in Iran.

"The attack on DigiNotar doesn't rival Stuxnet in terms of sophistication or coordination," Schouwenberg wrote. "However, the consequences of the attack on Diginotar will far outweigh those of Stuxnet. The attack on DigiNotar will put cyberwar on or near the top of the political agenda of Western governments."