

An update on attempted man-in-the-middle attacks - abraham
http://googleonlinesecurity.blogspot.com/2011/08/update-on-attempted-man-in-middle.html

======
tptacek
IE is killing it too, and, as this post points out, so is Mozilla.

Sign a Google Mail certificate for Iran? Fuck you. You're done.

In the medium term, I think a lot of HN people should also take a hard look at
CONVERGENCE.IO. For now, though, it's heartening to see the real power behind
Internet trust (hint: it's not Verisign and it's not the IETF) taking this
seriously.

~~~
stanleydrew
It's heartening but it's also not. Surely there have been many other cases of
invalid certs being granted for lower profile sites, perhaps by this very same
CA, without any of us ever hearing about it. And surely the granter of one of
those is still considered valid within many browser/OS configurations. But
because this was an invalid Google cert the CA gets shut down.

It kind of highlights the difficult problem of when to decide to blacklist a
CA in the current model.

And for clarity, who/what do you think is the real power behind Internet
trust? I've been thinking about it for five minutes and can't come up with a
good answer.

~~~
thurn
Browser vendors, perhaps?

~~~
wisty
And OS vendors. And whoever configures the computer. You buy a computer that
was made in China, and it has root certs already in there (thanks to either
Microsoft or Apple, or the shop who sold it, or the guys who assembled it -
who knows?). Chome / Safari uses the system certs. All good, right?

------
blauwbilgorgel
DigiNotar's mother company Vasco finally released a press statement.

[http://www.vasco.com/company/press_room/news_archive/2011/ne...](http://www.vasco.com/company/press_room/news_archive/2011/news_diginotar_reports_security_incident.aspx)

Just incredible: They were hacked and they knew it, then forgot to clean up a
certificate the hackers generated.

    
    
      On July 19th 2011, DigiNotar detected an intrusion into 
      its Certificate Authority (CA) infrastructure, which 
      resulted in the fraudulent issuance of public key 
      certificate requests for a number of domains, including 
      Google.com.
    
      Once it detected the intrusion, DigiNotar has acted in 
      accordance with all relevant rules and procedures.
      
      At that time, an external security audit concluded that 
      all fraudulently issued certificates were revoked. 
      
      Recently, it was discovered that at least one fraudulent 
      certificate had not been revoked at the time.  After 
      being notified by Dutch government organization Govcert, 
      DigiNotar took immediate action and revoked the 
      fraudulent certificate.
    
      The attack was targeted solely at DigiNotar's Certificate 
      Authority infrastructure for issuing SSL and EVSSL 
      certificates. No other certificate types were issued or 
      compromised. DigiNotar stresses the fact that the vast 
      majority of its business, including his Dutch government 
      business (PKIOverheid) was completely unaffected by the 
      attack.
    

Maybe directly, certainly not indirectly.

~~~
joelhaasnoot
FF nightly builds also block the PKIOverheid CA which signs the certificates
for key Dutch government websites and services (DigiD). Mozilla is going to
have a fun time with Dutch users/Dutch Government/DigiNotar

~~~
khuey
My understanding is that what Mozilla is going to ship will not block
PKIOverheid. See <https://bugzilla.mozilla.org/show_bug.cgi?id=682956#c17>

------
guelo
Do we really need all those Certificate Authorities that are trusted by the
browser? I remember 10 years ago Verisign would spend time verifying a
business digging through legal documents, addresses, company officers,
notarized docs, etc. Nowadays I'm supposed to trust a bunch of fly-by-night
operations issuing certificates for a dollar and a song.

~~~
darklajid
There are two sides to that, right?

You're building a new startup in (whatever) Bulgaria. Funds are low, but you
want to protect your users by using TLS/SSL. That's easy today, but your
'Think of the good old days' line is kind of killing that option. I know that
in my early 'put something on the net' days I didn't pay for a certificate
because it was just too expensive.

Nevermind that the process you seem to expect doesn't scale internationally
and that I seriously dislike the US centric bias anyway (too much power in one
country, without the privacy laws I consider basic standard).

------
ajb
What we need, I think, is for browsers to display the CA as well as the URL.
As in, 'DigiNotar certifies that you are connected to gmail'. This won't
wholly solve the problem, but it will a) broaden the knowledge that CA's
actually exist, and thus the problem of trusting them and b) provide some
reputational disincentive to being a bad CA.

Unfortunately chrome seems to be headed in the opposite direction, removing
the URL bar.

~~~
mibbit
Click on the padlock, and it tells you all of that.

eg "The identity of this website has been verified by Thawte SGC CA."

~~~
ajb
Thanks. However since it didn't even occur to me to do that, it doesn't seem
likely that many less technical people will do it.

~~~
edanm
Less technical people will _never_ understand, much less care, what a CA is.
It's hard anything explaining the concept of a URL!

~~~
ajb
There are lots of people between 'a HN reader' and 'your grandmother'. There
will always be people who don't understand what a CA is; but the more people
who do, the more pressure there will be for them to do their job correctly.

Also, they don't need to understand the technical details. If every time they
go to their bank it says 'connection to your bank certified by verisign', and
then one day it says 'certified by <someone else>', then a cautious person
will be suspicious, even if they are completely nontechnical.

~~~
dpark
There are much better ways to notify users than trying to convince them of the
value of monitoring their bank's CA. The browser could simply keep track of
the cert and notify the user if it changes unexpectedly. This doesn't require
the user to understand anything new, and it still works in the case that the
fraudulent cert is signed by Verisign.

------
pilif
It's a shame that the only real protection against rogue (or compromised) CAs
is still to have a whitelist directly in the browser.

For Google, this was easy as they control both their domains and their
browser, but for everybody else who isn't maintaining a browser, they'd have
to fall back to solutions like STS which, don't work if the first connection a
user sees is already man-in-the-middle'd

------
Joakal
If you want to verify that you no longer support Diginotar CA, this should
give you a warning: <https://www.diginotar.nl/>

~~~
lwat
I get redirected to a non-ssl page ( <http://www.diginotar.nl/Default.aspx> )
instead, no warning? (Chrome)

~~~
ncarroll
I got a warning on Firefox, but Opera redirected to <http://>.

~~~
0x0x0x
Safari 5.1 warns.

------
artursapek
Wow, the security features Chrome used to nullify the attack were just
implemented in June. I wonder if that was a reaction to another incident like
this, or if it was just good foresight?

~~~
tptacek
They ship one of the Big 4 browsers and run the Internet's most popular mail
server (and thus biggest TLS target). They're uniquely poised to do things
like this.

~~~
waitwhat
_the Internet's most popular mail server_

It is my understanding that gmail is dwarfed by both Hotmail and Yahoo! Mail.

------
willvarfar
The amazing thing is that:

1) it doesn't happen more often

2) that anyone noticed

Its clearly early days. If they had impersonated a download server, they could
have got users to download a spiked copy of the browser itself

~~~
tlrobinson
There's also the possibility that it does happen often and no one notices, of
course.

~~~
dredmorbius
Makes me wonder how you'd approach the "how do I find bad certs" problem.

You'd think that an entity which, say, scrapes a large portion of the Web on a
regular basis ... might be able to detect such things.

Meanwhile, there's CertWatch <http://certwatch.simos.info/> and The
Convergence Project <http://convergence.io/>

------
lsh123
The (partial) solution to this problem is very well known and is already
implemented by SSH and several other packages that rely on public
cryptography: 1) When user visits a _new_ site, the certificate is presented
to the user for inspection. 2) On subsequent visits, the site's certificate is
compared to the one stored in the browser cache. If they are the same, then
the connection is made silently. If there is difference, then the new cert is
presented to the user for inspection.

The only problem is that this would kill user experience for 99% of the users
who don't care about security in the first place. Thus, browsers need to do
some clever UI tricks (e.g. color the thingy in url bar in a different color,
etc.) to indicate potential problem to the user yet make it less intrusive.

The bottom line is that the fault is not on the SSL/x509. This infrastructure
is not perfect but there is nothing better even in the design. The fault is on
the browser developers who are not trying to protect users.

~~~
stanleydrew
See tptacek's comments from this thread on the earlier post to see why this
may not be a great idea:

<http://news.ycombinator.com/item?id=2938870>

------
happyfeet
Question: This I believe is a serious issue, but what is the best way to
'reach' out to majority of users in a country?

Should/would google display this blog link on top of every google service to
alert users in Iran, regardless of browser?

My thought is this blog may not even reach out to majority of users, till they
get affected by it unless it is 'broadcasted'.

------
idlewords
Anyone know a way to remove DigiNotar as a system root CA in OS X? I spent a
few minutes struggling with Keychain to no avail, and couldn't Google my way
to useful help.

~~~
dekz
Keychain -> System Roots -> Search for DigiNotar -> Right click delete.

Assert it has been removed by navigating to <https://www.diginotar.nl/>

~~~
biafra
Did you try that and it really removed the CA?

Or is it supposed to remove the trust only but keep the entry?

~~~
dekz
It removed the entry completely from the Keychain, I am on Lion for reference.

Sanity testing by loading the homepage over HTTPS results in a certificate
warning on all browsers (Firefox redirected to HTTP).

~~~
idlewords
Right-click delete is not an option on Snow Leopard, for some reason.

------
fragsworth
This seems like a very expensive, targeted, specific attack. The perpetrators
will likely succeed (or have already succeeded) at breaking into their
intended target.

Someone high-profile in Iran is probably going to get screwed as a result.

~~~
gst
That does not necessarily need to be the case.

I don't know how the CA in question works, but for many CAs it's sufficient to
be able to receive mails at the postmaster address of the domain in order to
receive a certificate.

So basically you only need to find a single CA that uses this techniques and
which uses a DNS server vulnerable to cache poisoning. Probing all of the CAs
may be a little bit of an effort, but it's something even a single individual
could manage. I would not find it suprising if this was the technique applied
in that case.

------
dunham
I really wish Chrome would warn me when a site jumps to a new CA or even a new
certificate. Last I checked, details on the current certificate wasn't made
available to plugins, so I can't easily write it myself.

------
jberryman
Any word on whether Iranians are still getting this attack? I would love to
see some traceroutes to google.com from affected individuals' machines.

------
0003
Nice anti-IE subtext, google.

~~~
martindale
Yeah, I lol'd.

------
SoftwarePatent
Ouch, DigiNotar is revoked in Chrome? They didn't do anything wrong, someone
else pretended to be them.

~~~
pilif
For somebody else to pretend to be then, in this case, they need their private
key. As a CA, you can't have your private key leaked and then still be trusted
by a browser.

Or they issued the *.google.com certificate by accident, but if you
accidentally issue a certificate as a CA, you can't be trusted by a browser
either.

IMHO, this was entirely justified.

