
Gmail.com being MITM'd by Iran using this certificate - koenigdavidmj
http://pastebin.com/ff7Yg663
======
emilsedgh
Posting from Iran, Im really worried about the current security status. Iran's
opposition mostly exists on internet these days and its very seriously flawed.

Man In The Middle attacks are increasing and users usually ignore error
messages about them. (Firefox throws an error dialog but it has an 'I
understand the risks' button. People just ignore the error).

Also, last year many Iranian FriendFeed users were arrested and the goverment
knew about all their private discussions on FriendFeed. (FriendFeed has been
censored since the beggining. But it suddenly became uncensored for a day or
two. On the other hand, FriendFeed generates an 'auth' key for each user and
lets him see his RSS feed using that key. And puts the auth key in every page:
goverment probably collected auth keys and used it to read discussions of
people they arrested)

Goverments using internet to spy on their civilians is not a myth. Anonymity,
trusting the cloud and related issues seem far more important when you
suddenly find out a friend of yours has been arrested and his location and
charges is unknown.

~~~
mrb
"Man In The Middle attacks are increasing and users usually ignore error
messages about them"

Note that the reported MiTM attack should _not_ result in a popup warning,
because the CA certificate used in the MiTM is supposedly technically valid.
Does anybody know which browsers include this CA? Browser vendors should
consider removing it based on ethical concerns, especially if this MiTM attack
is being performed very broadly, at the country level.

~~~
mcpherrinm
Mozilla is spinning up new releases to remove the cert.

See [http://blog.mozilla.com/security/2011/08/29/fraudulent-
googl...](http://blog.mozilla.com/security/2011/08/29/fraudulent-google-com-
certificate/)

Instructions on how to delete it yourself are available at
[http://support.mozilla.com/en-US/kb/deleting-diginotar-ca-
ce...](http://support.mozilla.com/en-US/kb/deleting-diginotar-ca-cert)

~~~
shabble
They really ought to add a search field to that list view.

------
deweller
So help me understand...

A government agency in Iran has obtained the private key of the root
certificate for the DigiNotar Certificate Authority. And with that, they can
decrypt and re-encrypt SSL traffic by pretending that they have the valid SSL
certificate for *.google.com.

Is that the way this works?

~~~
modeless
That's one possibility, and quite scary because someone with that private key
could hijack any SSL connection to any site, not just Google. More likely is
that Iran caused DigiNotar to issue them a valid .google.com certificate via
social engineering, bribery, or hacking. This is slightly less scary because
only .google.com would be affected.

Either way, IMHO DigiNotar's root certificate should be revoked and they
should be barred from participating in the CA system ever again. The
seriousness of SSL MITM attacks is such that a "one strike and you're out"
policy is warranted. With so much commerce running over SSL these days,
possession of the private key of a CA's root certificate would allow you to
implement plots worthy of a James Bond supervillan.

~~~
yuhong
In fact, guess what: [http://blog.mozilla.com/security/2011/08/29/fraudulent-
googl...](http://blog.mozilla.com/security/2011/08/29/fraudulent-google-com-
certificate/)

~~~
modeless
Great! I'm glad DigiNotar will be punished for this lapse. Too bad it takes a
code update to revoke their certificate. This won't be the last CA compromise
we see.

~~~
bigiain
"This won't be the last CA compromise we see."

Indeed. I strongly suspect too that it's only "the first one we've seen", and
not "the first one".

I have very little doubt that most nation-state sized adversaries have the
ability to forge whatever certs they want. It's only careful use of those
forged certs (or dumb luck) by the agencies using them that have kept them out
of the blogosphere...

~~~
modeless
Yeah, if NSA doesn't have at least one root CA key they're not doing their
jobs. What we need is an alternative to the centralized CA system, like TOFU
POP MONK.

~~~
lawnchair_larry
They do, and it isn't even hiding. Take a look in your cert store and you will
see multiple DoD root CAs.

~~~
jmcqk6
I just checked, and at least with firefox, I didn't see any. What are you
referring to exactly?

~~~
lawnchair_larry
Odd, my OS X machine has 2 of them listed. I don't see it in firefox though.

------
bwblabs
Do we actually know how many SSL certs Google uses, and for what?

From what I can see:

\- Google Search & Google+ (<https://encrypted.google.com/>
<https://plus.google.com/>) are using a *.google.com from GeoTrust/Google
Internet Authority

\- Google Mail (<https://www.google.com/accounts/>) is using a www.google.com
from VeriSign/Thawte

Ofcourse I'm also afraid that this is indeed a MITM attack against Iranian
users.

With SSL certs that costs less than $15 you can expect that things cannot be
thoroughly checked, however a Wildcard DigiNotar SSL cert is costing you € 750
a year (in a 4 year contract
[http://diginotar.nl/OnlinePrijsindicatie/tabid/1417/Default....](http://diginotar.nl/OnlinePrijsindicatie/tabid/1417/Default.aspx)),
you would expect that these things would not be possible.

If they however hacked the root CA, it's even more scary, also Vasco (the
mother company) makes virtually every Two-factor authentication used for Dutch
Banking..

~~~
blauwbilgorgel
Scary indeed. Also responsible for authentication of DigiD, online taxes,
pension funds, Chamber of Commerce, Ministry of Security and Justice, local
governments, etc.

~~~
joelhaasnoot
Didn't check it myself, but apparently DigiD for instance is on a different
CA/root. DigiD is the Dutch "unified account" for all online government
services: you can take out student loans, submit taxes, etc.

~~~
blauwbilgorgel
[http://www.diginotar.nl/Aanvragen/Lopendeprojecten/DigiDMach...](http://www.diginotar.nl/Aanvragen/Lopendeprojecten/DigiDMachtigen/tabid/2059/Default.aspx)
They have this listed as an active project, so they are definitely involved.
Could still be on a different CA though. And of course _if_ they were hacked.

------
wxs
If you want to disable diginotar's root CA on your Mac (for Safari/Chrome) you
can open Keychain Access, select the "System Roots" keychain at the top left,
find the diginotar certificate in the list, and delete it (or disable it,
which is what I did).

EDIT: This definitely works for Safari, not 100% sure if it does for Chrome
after all.

~~~
technomancy
$ sudo dpkg-reconfigure ca-certificates # for debian-based systems

~~~
andreasvc
I've always wondered what that package is actually used for, because programs
like firefox, chromium, &c, maintain their own list of root CAs.

------
gmaslov
This type of compromised-CA attack is why I never understood why browsers
don't use the OpenSSH model: accept and store (prompting for confirmation) the
certificate the first time you connect to a site, then throw up enormous red
flags if the certificate ever changes.

The Firefox root CA list has dozens and dozens of organizations on it. Could a
compromise of any one of them mean that this attack could be repeated?

~~~
tptacek
Because that security model means that a compromised ISP can permanently MITM
you the first time you visit a site on any computer for the first time. In
exchange for losing the single points of failure, it creates a constant stream
of opportunities to break the trust model.

You may think that's a good tradeoff. I don't, but reasonable people can
disagree about it. However, it's completely untenable for financial
information, because attackers after financial information aren't laser
targeted and are perfectly happy with a constant stream of compromised
sessions. Remember what TLS was designed for in the first place.

~~~
jfr
Wrong.

The OpenSSH model implies that you check the fingerprint of the public key
before you send encrypted data using that key. That is why SSH shows you the
fingerprint of the server key when you first connect, and you have to answer
"yes" in order to accept the key and add it to your keyring. You are supposed
to have talked to the person managing the system and that person should have
given you the fingerprint of the key.

It is virtually impossible for the ISP to intercept and sniff the stream
without changing the fingerprint.

The user still has to trust its SSH client.

~~~
tptacek
"Wrong! Random people will totally verify key fingerprints when they're
logging into Google Mail at Starbucks! After all, that's what every sysadmin
does with SSH, right!"

~~~
jfr
gmaslov is clearly talking about the OpenSSH trust model. You are confusing it
with the Trust On First Use model, which is not the same thing.

~~~
tptacek
I have no idea what you are trying to express here. "Trust On First Use" is a
synonym for key continuity. The fact that you have to type "yes" when SSH does
it and click a series of buttons when a browser does it doesn't change
anything.

I think you think that "Trust On First Use" means "automatically accept keys
the first time you hit a site". In fact, that's only true in practice.
Presumably everyone's going to get the "Watch Out! This Could Be Iran!" dialog
from their browser, too.

------
vilhelm_s
Chrome users should be protected from this by the public key pinning feature
[<http://www.imperialviolet.org/2011/05/04/pinning.html>], right?

~~~
ajross
Sounds like it. But this isn't an architectural solution. All this does is
layer an additional level of "trust" requirements onto the existing protocol.
The "pinning whitelist" is isomorphic to the root CA list and can be
compromised in exactly the same way.

------
JoshTriplett
A quick check of Bugzilla didn't turn up a bug directly about this issue, but
<https://bugzilla.mozilla.org/show_bug.cgi?id=681902#c6> from one of the
people who deals with CA issues at Mozilla mentions "the current DigiNotar
incident", so they clearly know about it.

~~~
sp332
It took 3 months to get their customers transferred over to this new cert.
<https://bugzilla.mozilla.org/show_bug.cgi?id=622589> I wonder if the CA was
compromised since earlier this year, or if it's more recent?

------
lawnchair_larry
I'm confused about how this was detected. The original report provided this
screenshot:

<http://i.imgur.com/hs0H4.jpg>

If it is a case of a root CA signing a cert for someone else, this shouldn't
have actually produced an error. What did the MITMers screw up here?

~~~
stock_toaster
Chrome feature, as noted here: <https://news.ycombinator.com/item?id=2938905>

------
0x0
Found a pastebin with slightly more info: <http://pastebin.com/SwCZqskV>

------
VladRussian
if root is compromised it sounds promising :

[http://www.vasco.com/company/press_room/news_archive/2011/ac...](http://www.vasco.com/company/press_room/news_archive/2011/acquisition_diginotar.aspx)

"...DigiNotar is an official Dutch certification authority, capable of
issuing, validating and registering certificates (identities) of Dutch
nationals and entities that are recognized throughout the European Union and
are used to authenticate government applications. As such, DigiNotar provides
VASCO with a strong foothold in the Dutch eGovernment market with the
potential to expand the product line to government applications in other
countries. Currently, DigiNotar’s market scope for its CA activities is
limited to the Netherlands. VASCO may decide to introduce DigiNotar as a
certification authority in other EU countries...."

all that security was riding on 10M euros (with such [meager] amounts in play,
one would think that it would be easier for a player like Iran just buy an
authority than to crack/hack it, though seems like VASCO was faster (if of
course VASCO isn't in the game as well) :) :

"...VASCO acquired DigiNotar in stock and asset purchase for aggregated cash
consideration of Euro 10.0 million..."

what is the cost in Netherlands to have a reasonably secure office building
with some access controlled areas suitable for CA authority core operations?
Sounds like very cheap.

~~~
joelhaasnoot
You forget their possible debt...

~~~
VladRussian
nope. VASCO is a NASDAQ-ed "Inc" and would have mentioned any additionally
assumed materially important liabilities in the official press release.

------
packetlss
In order to mitigate attacks like this Firefox users can use:
<http://convergence.io/>

~~~
windexh8er
There's also another, similar, project called Perspectives:
<http://perspectives-project.org/>

The Syrian government was doing this recently as well:
[https://www.eff.org/deeplinks/2011/05/syrian-man-middle-
agai...](https://www.eff.org/deeplinks/2011/05/syrian-man-middle-against-
facebook)

Oh and don't forget about the EFF's SSL Observatory:
<https://www.eff.org/observatory>

------
zrail
I checked and the cert from gmail.com for me is from Thawte. Is this a
targeted attack toward only those in Iran?

~~~
yuhong
I think so. This kind of thing are almost always targeted attacks.

~~~
uxp
The Thawte certificate is the certificate issued to google by request of
google. This certificate is apparently being used to MITM connections to gmail
that originate inside Iran. Outside of Iran BGPing a major ISP into routing
through them, or setting up a standard "phishing" mirror site, no one outside
of Iran should worry much.

It still is a good idea to blacklist that root certificate on your internet
devices though. If this certificate is being used, who knows what other
websites it has issued legitimate but malicious certificates for.

~~~
ajross
No one outside of Iran should worry about this particular google cert, you
mean.

The obviously compromised root CA shipped by default in every computer in
operation is something we very much _should_ worry about. Who else has access
to DigiNotar's cert? Surely there are players out there willing to pay more
than Iran is...

~~~
marshray
Of course you should worry. The attacker may have sold the cert to other
parties, not just Iran. Or if it was Iran directly, they may sell the certs to
other parties to make a pretense of deniability.

------
sp332
OK, how do we remove this CA from our computers?

~~~
drtse4
In chrome looks like you can't remove it, but at least you can disable the use
of that CA to identify sites,ecc... from preference>manage certificates.

~~~
wonderzombie
Chrome uses whatever the OS uses, as far as I can tell. Preferences > Manage
Certificates just opens up the Keychain Access app. Upthread are instructions
for how to do it from there.

------
sliverstorm
What are the implications of this? It is potentially unsecured to visit
gmail.com from anywhere? Is this web-interface only, or is IMAP/POP access
also vulnerable?

~~~
cookiecaper
The consensus seems to be that Iran is poisoning intra-country connections to
attach this certificate to gmail.com instead of the real certificate, so this
would only be occurring where Iran controlled the network infrastructure.
Since the certificate is signed by a trusted CA, no warning is provided to the
user that the certificate may be unsafe.

GMail still shows a certificate issued by Thawte for me (in the USA).

~~~
VladRussian
>The consensus seems to be that Iran is poisoning intra-country connections

more precisely they can poison any traffic (CA-ed by Diginotar) that passes
through the routers/wires under Iran's control, that can be anything what they
have already hacked into before as well as just redirected traffic using BGP
similar like this

[http://www.washingtontimes.com/news/2010/nov/15/internet-
tra...](http://www.washingtontimes.com/news/2010/nov/15/internet-traffic-was-
routed-via-chinese-servers/)

Btw, aren't China and Iran collaborating usually? There is potential for
synergy.

------
rmc
Assuming this certificate stuff is legit, how do we know this is being done by
Iran? What makes anyone think this is Iran?

~~~
JoshTriplett
The claims reported in various places suggest that people in Iran have
actively observed this certificate used in MITM attacks on gmail connections.
No hard evidence yet, and no idea what original source people keep repeating
(possibly the pastebin itself).

------
0x12
If your communications can land you in jail or get you killed don't use the
internet (or even a computer, keystroke loggers are easy to install and very
hard to detect), no matter how clever you think you are, and no matter how
many 'lock' icons appear in your browser.

In such cases paranoia is perfectly justified.

It's a real pity this requires a code update because that means that the
change will take long to propagate and will likely never be really complete,
at the same time I'm sure there are good reasons for that and that an
automated process to revoke just any certificate could itself probably be used
as an attack vector.

What would happen if they simply revoked the root certificate that was used to
sign this fake?

------
sp332
Here's a bug report from the user who originally noticed it:
[http://www.google.co.uk/support/forum/p/gmail/thread?tid=2da...](http://www.google.co.uk/support/forum/p/gmail/thread?tid=2da6158b094b225a&hl=en)

------
blauwbilgorgel
Update on Dutch news site nu.nl (without references or sources, so I can't
confirm where they got this information from).

[http://translate.google.com/translate?tl=en&u=http%3A%2F...](http://translate.google.com/translate?tl=en&u=http%3A%2F%2Fwww.nu.nl%2Finternet%2F2603449%2Fmogelijk-
nepsoftware-verspreid-naast-aftappen-gmail.html)

Fraudulent certificates were given out for:

().mozilla.org (backdoored software?)

().wordpress.com

().torproject.org

().yahoo.com

And Baladin (an Iranian social network)

------
iscrewyou
I am no hacker so I have almost no idea what's going on.

MITM = Man In The Middle.

Does this mean that Iran is eavesdropping on gmail users IN Iran? Or outside
their country too?

Does anyone mind sharing what this means to the end user?

I did block the certificate on my Air as wxs mentioned.
<http://news.ycombinator.com/item?id=2938755>

~~~
marshray
Yes, this fraudulently-issued certificate is being reported seen in the wild
from users of Iranian ISPs. It has not been reported anywhere else.

If you were using an Iranian ISP to log in to *.google.com, you may have been
hacked.

~~~
iscrewyou
Thanks for explaining that, kind sir.

------
microkernel
Anyone can tell us if this is for real or a hoax? I am lacking sufficient ssl
knowledge here...

~~~
koenigdavidmj
Mikko Hypponen of F-Secure seems to think that it is real:
<http://twitter.com/#!/mikkohypponen>

------
levigross
This attack could of hit people in other countries as well. Small well places
malicious BGP updates can reroute traffic into Iran.....

------
pointyhat
SSL snake oil. SSL and the percieved trust around it has to die. It's a big
lie, especially with broken CAs, lax security, poor encryption due to
international policy and several technical and conceptual flaws.

Some critique here to back me up:

[http://www.theregister.co.uk/2011/04/11/state_of_ssl_analysi...](http://www.theregister.co.uk/2011/04/11/state_of_ssl_analysis/)

~~~
pyre
And the solution is? Getting everyone on to PGP/GPG? Explaining to the general
public what a web of trust is and actually get them to use it in the correct
fashion (rather then clicking 'trust' the same way they click through all
dialog boxes)?

~~~
tptacek
The irony here is, if you want "web of trust", you _already have it_ ; just
remove all the certs from your browser and trust sites selectively.

~~~
icebraining
Where's the "web" in that? Web of Trust is supposed to be a system where users
'tell' each other what they trust, forming a 'web' of trust links.

~~~
tptacek
So when the certificate error comes up, ask your friends whether they trust
it. You are talking about a web application that is almost "hello world" in
Django or Rails.

~~~
icebraining
So, build it. Then make it secure enough that any schmuck won't be able to
hack it and serve fake 'trusts'. Then decentralize it so that governments like
Iran's can't MITM it. Then solve the problem of having a single organization
deploying thousands of fake nodes and poisoning the data.

After you've done that, yes, it'll exist.

------
jsavimbi
So Google wrote Stuxnet?

