
Iranian hackers obtain fraudulent HTTPS certificates - there
https://www.eff.org/deeplinks/2011/03/iranian-hackers-obtain-fraudulent-https
======
patio11
Expect to see more of this: hackers are cheaper than missiles and nobody has
ever bombed anyone over the use of them. (That will probably not be true in
twenty years: there are things you could imagine doing which would force
nation states to treat them as symmetric threats.)

~~~
wladimir
The problem is that you can never be sure where a 'hack attack' came from.
Sure, the directly used IPs are from Iran, but it is very well possible they
were simply used as proxy. Most of the world already regards Iran as evil, so
they are a good scapegoat. Obviously it's possible they are really behind it,
but you can't be sure enough to start a war.

~~~
patio11
Let me put it this way: if Iran has deniably disabled US nuclear capability in
the same way that Israel deniably disabled Iranian nuclear capability, the
spectrum of options considered by the US government would certainly not end
with "send them a strongly worded letter, since we're not totally convinced
they did it."

I mean, another country in the neighborhood went for strategic ambiguity for
many years. It worked very well right until it didn't.

~~~
wladimir
I certainly don't disagree that it is very dangerous and might cause countries
to attack each other in extreme cases. It does give a third party a relatively
cheap strategic option to pit countries against each other.

------
msy
If I worked for a US/UK/Russian/Chinese intel organisation I'd make damn sure
we had a steady pool of logless proxies dotted about on boxes in Iran,
Pakistan and whatever net-connected boxes North Korea has.

~~~
tomjen3
NK gets its internet connections (which are available only to the uttermost
top of the party, which means when the country collapses the population is in
for something of a wakeup) through China.

------
jpravetz
You have to wonder what form of authentication was used at Comodo's
Registration Authority server that enabled it be breached. Maybe an RSA
SecureID token :-) (see [http://steve.grc.com/2011/03/19/reverse-engineering-
rsas-sta...](http://steve.grc.com/2011/03/19/reverse-engineering-rsas-
statement/)). Seriously, I'd have thought the admin account on an RA server
would require multiple approvals, on-site access or something. I guess we'll
have to wait for the details to come out. Something like this is bound to
eventually happen when you have so many trusted root SSL certs in play.

~~~
codelion
That will always be a problem with trusting some 3rd party for certificates,
as soon as the number of trusted parties increase these things can become more
frequent.

------
iuguy
Attribution is a massive problem when it comes to attacks. An IP address
source does not mean that the attacks were Iranian in origin. It is distinctly
possible that the Iranian systems were compromised, or that people were using
Iranian hosts to cover their tracks (try getting a US-led forensic
investigation team to get logs from an Iranian system).

It is also possible that after Stuxnet, the Iranian government and military
have had to consider their options and that this would be an option (bearing
in mind that CINIC-signed certificates have been accepted in Firefox for a
while and that CINIC have been involved in surveillance ops on people in
China).

As for what's actually happening, the people that know are probably unwilling
to discuss it on Hacker News or the EFF website.

~~~
tptacek
Iran's best option after Stuxnet is a spectacularly blatant and strategically
negligible caper on Yahoo Mail?

~~~
iuguy
We don't know. If it was, do you really think it would be their only
operation? Who else would have both the capability to massively MITM SSL
within a geographical area? I'm not suggesting it was the Iranian government
(to clarify, neither was my post above), but for someone to go after the certs
it would be expected they'd want to have somewhere (or at least someone) to
MITM in mind.

How many Iranians use Yahoo Mail? How many people of interest outside of Iran
use Yahoo Mail?

------
mike-cardwell
Admittedly, this is of no use to the average Internet user, but there's a
Firefox addon called Certificate Patrol. It alerts you when an SSL certificate
changes. It shows you the old cert information along side the new cert
information. It tells you if the old cert was due to expire, and also if the
signing authority has changed.

There's also Perspectives.

~~~
ZoFreX
Certificate Patrol looks amazing - amazing enough to switch back from Chrome
to Firefox in fact (now that Firefox is a bit snappier). Pity it's not
available for Firefox 4!

~~~
phaylon
It seems to have been available for the beta, though. So I guess that is
simply yet to come.

------
Joakal
Tor project dislikes even eff's SSL certificate for having a wild card domain
(*.eff.org).

There's more information: [https://blog.torproject.org/blog/detecting-
certificate-autho...](https://blog.torproject.org/blog/detecting-certificate-
authority-compromises-and-web-browser-collusion)

------
ck2
I wish SSL and HTTPS authentication had been separated at birth.

I'd like HTTP SSL encryption and I'll worry abut certification as another
problem.

~~~
tptacek
I think Iran's intelligence services also wish SSL and HTTPS authentication
had been separated at birth. Sure would make things easier for them if all
they they needed was the MITM proxy, and not the certificate.

------
euroclydon
Does anyone maintain a list or root certs that are or might be compromised, so
we can manually remove them?

~~~
tptacek
It wasn't a root certificate that was compromised, was it? Unless you consider
the breach at Comodo to be a compromise, in which case, axe Comodo's certs
(and suffer 10000 SSL cert warning dialogs).

------
Flenser
Strange, why is the eff link https? The site only appears to work on http. I
can't be the first to click through to the article surely?

------
Tomis
This "Iranian hackers" thing is complete bollocks if you ask me.

The article's title should sound the same regardless of the hacker's
nationality but if it doesn't (there may be a more menacing feel to it) then
that's probably thanks to the media's propaganda which would like to put the
words "Iranian", "nazi" and "pedophile" on the same level.

Are we going to fall back to the same silly "we're the good guys, they're the
bad guys" cold war rhetoric? Come on.

