Certificate authority DigiNotar says its system was breached and that a fraudulent certificate for Google.com found its way to the Web.
For an unknown period of time this weekend, Gmail users in Iran who tried to access their accounts were at risk of having their log-in credentials stolen, after someone broke into a Dutch company to steal the digital equivalent of an identification card for Google.com.
"The people affected were primarily located in Iran," Google said in a post late last night. "The attacker used a fraudulent [Secure Sockets Layer] certificate issued by DigiNotar, a root certificate authority that should not issue certificates for Google (and has since revoked it)."
The problem surfaced yesterday after someone reported it on a Google support site on Sunday.
Asked how many Google users were affected, a Google representative said: "It's always difficult to know such details for a man-in-the-middle attack. We're investigating. But note [that] this was not just an attack on Google users; lots of other sites also had fraudulent certificates issued. It's only because of the innovative 'pinning' feature built into Chrome that the attack was uncovered. That feature currently only protects visits to google.com, not other sites. So no one knows how many others are affected."
Regarding whether any log-in credentials had been successfully stolen in the attack, the representative said Google is still investigating.
Meanwhile, it appeared that 247 digital certificates have been blacklisted by Google's Chrome browser in response to the incident, according to this Google Chromium Code Review page.
DigiNotar detected an intrusion into its Certificate Authority infrastructure on July 19, the company said in a statement.
During the intrusion, someone issued fraudulent certificate requests "for a number of domains," but DigiNotar revoked them, the company said. "Recently, it was discovered that at least one fraudulent certificate had not been revoked at the time," the statement said, adding that the company is temporarily suspending the sale of its SSL and EVSSL (Extended Validation SSL) certificate offerings.
DigiNotar representatives did not respond to an e-mail seeking an interview, but a spokesman told IDG News Service that the intruder had created fraudulent certificates for several dozen Web sites, and that the certificate for Google.com was issued July 10 and had gone live on Sunday.
Certificates for Mozilla, Yahoo, and the Tor Project anonymity network were among the nearly 250 ones fraudulently issued, according to a Computerworld report that cited a consultant at a Dutch security firm who got the information from an unnamed source. Mozilla confirmed that a certificate for its add-on site had been obtained by the DigiNotar attackers in July and that DigiNotar revoked them within days. A Yahoo spokeswoman said the company does not comment on specific instances and declined to elaborate. And a Tor Project blog post says a dozen Tor certificates were requested and DigiNotar said they were revoked.
It remains unclear who is behind the attack.
"What can you do with such a certificate? Well, you can impersonate Google--assuming you can first reroute Internet traffic for google.com to you," Mikko Hypponen, chief research officer at security firm F-Secure, wrote in a blog post today. "This is something that can be done by a government or by a rogue ISP. Such a reroute would only affect users within that country or under that ISP."
"To help deter unwanted surveillance, we recommend that users, especially those in Iran, keep their Web browsers and operating systems up-to-date and pay attention to Web browser security warnings," the Google blog said.
Hypponen was critical of DigiNotar over the matter, saying his firm had uncovered three defaced Web pages on DigiNotar sites, including two in which Iranian hackers took credit or were referenced. The sites were defaced years ago and were still up today, he said.
"Didn't DigiNotar think it's a tad weird that Google would suddenly renew their SSL certificate, and decide to do it with a midsized Dutch CA [certificate authority], of all places?" he wrote in the blog post. "And when DigiNotar was auditing their systems after the breach, how on earth did they miss the Iranian defacement discussed above?"
Browsers to the rescue
Google Chrome users were protected from the attack because the browser detected that the certificate was fraudulent. Google said it planned to disable the DigiNotar certificate authority in Chrome while investigations continue. Mozilla also said it was releasing new versions of Firefox to revoke trust in the DigiNotar root, so Chrome and Firefox users will see warnings, if they visit Web sites that use DigiNotar certificates.
Microsoft also said it had removed the DigiNotar root certificate from the Microsoft Certificate Trust List, so Windows users would see an invalid certificate error message when browsing to a Web site or trying to install programs signed by the DigiNotar root certificate.
However, a glitch in Mac OS X was making it difficult for users to revoke certificates, IDG News Service reported.
Meanwhile, Hypponen noted that security consultant S. Hamid Kashfi, who tweeted about the attack involving the fraudulent google.com digital certificate on Sunday, wrote about such attacks involving Iran in a blog post (translation here) last year.
This isn't the first time digital certificates--used by Web sites to prove to browsers that they are legitimate--have been issued fraudulently, and it won't be the last. That's because the underlying structure for Web site authentication, in which more than 600 companies are entrusted to sell proof of authentication--called "digital certificates"--is flawed. The certificates are supposed to serve as proof that a Web site is the site it claims to be when a Web surfer uses an "https" connection. But the many companies providing the certificates have differing levels of security and no standard process for automatically revoking fraudulent certificates.
In March, spoofed certificates were found involving Google, Yahoo, Microsoft, and other major sites that were acquired through reseller partners of certificate authority Comodo. They were traced to Iran through Internet Protocol addresses, and a 21-year-old Iranian patriot claimed credit for the attack, which he characterized as a protest of U.S. foreign policy.
"The SSL 'race to the bottom' CA model is broken. Fraudulent certificates have been issued before, even without breaching a CA's systems," Johannes B. Ullrich, dean of research at the SANS Technology Institute, wrote in a blog post today. "But what can you do to replace or re-enforce SSL?"
DNSSEC (Domain Name System Security) can provide another way to validate that a site is legitimate, but it is not perfect, either, he said. In addition, there are browser plug-ins that implement reputation systems. One plug-in that has gained traction is Convergence, which works with Firefox and compares the certificate with other certificates received from the same site, he said.
Updated September 1 at 3:36 p.m. PT with Yahoo comment, 12:45 p.m. PT with Tor Project comment and Mac users reporting problems , 11:38 a.m. PT with Computerworld report that certificates for Mozilla, Yahoo, and Tor project were among those fraudulently issued and August 31 at 5:10 p.m. PT with Google Chromium code review page showing 247 digital certificates blacklisted.