On July 19, DigiNotar detected an intrusion into its Certificate Authority infrastructure that resulted in the fraudulent issuance of public key certificate requests for a number of domains, including Google.com. The fraudulent Web security certificates issued by hacked DigiNotar, allowing the hackers access to the data and passwords of Google sites, had not only hit social networking site Facebook and micro blogging site Twitter, but also the U.S. and the UK secret service agencies – CIA and MI6. Others hit include sites operated by Yahoo, Facebook, Microsoft, Skype, AOL, the Tor Project, WordPress, and by intelligence agencies like Israel’s Mossad and Britain’s MI6. Actually, we ourselves were hit around the same time so maybe we’ve done something to tick folks off too.
Around 300,000 unique requesting IPs to Google.com have been identified. Of these, 99 percent, allegedly, originated from Iran.
The latest versions of browsers, including Microsoft’s Internet Explorer, Google’s Chrome and Mozilla’s Firefox, are now rejecting certificates issued by DigiNotar. Dutch web security firm, DigiNotar is one of many companies which sell the security certificates widely used to authenticate Web sites and guarantee secure communications between a browser and a Web site. A record compiled in an Excel file and posted on a blog shows that the security of the users of U.S. secret service agency CIA and UK’s MI6 Web sites was compromised by the fake security certificate.
It seems a tad unrealistic that both the U.S. and U.K. intelligence agencies chose the Dutch firm to secure their biggest secrets, but I’ve yet to read an explanation on that point. I mean, we all know there are plenty of options here in the states and across the pond, so why go to The Netherlands to get a certificate? The claim that the Iranian government cooperated in the hacks has not been substantiated, but there is an implicaton that they were spying on dissidents and this emanated from those hacks.
From the NYTimes: “Technology experts cite a number of reasons to believe the attack is connected to Iran. Notably, several of the certificates contain nationalist slogans in Farsi, the language spoken by most Iranians. This, in combination with messages the hacker left behind on DigiNotar’s Web site, definitely suggests that Iran was involved,” said Ot van Daalen, director of Bits of Freedom, an online civil liberties group.”
Hopefully, they have more proof than language but often incidental evidence such as that is used to implicate the perpetrators. I would guess that Iranians know that they are under scrutiny and they aren’t the only nationals who speak Farsi.
Current browsers perform an Online Certificate Status Protocol (OCSP) check as soon as the browser connects to a SSL website protected through the https (hypertext transfer protocol secure) protocol.
The hacking implies that the current network setup and procedures at DigiNotar are not sufficiently secure to prevent this kind of attack. In theory, a fraudulent certificate can be used to trick a user into visiting a fake version of a Web site, or used to monitor communications with the real sites without users noticing.
However, in order to pass off a fake certificate, a hacker must be able to steer his target’s Internet traffic through a server that he controls. Only an Internet service provider or a government that commands one can do it easily.
Although no users in the Netherlands are known to have been victimized directly, the breach has caused a major headache for the Dutch government, which relied on DigiNotar to authenticate most of its Web sites.