Rogue Google certs used to spy on Iranian communications

A computer security firm claims to have "proof" that Iranians were the targets of the recent compromise of Dutch certification authority DigiNotar. Trend Micro said the rogue SSL certificates, which can allow the interception of supposedly secure communications like email, were used for spying on Iranian Internet users on a large scale. “We found that Internet users in more than 40 different networks of ISPs and universities in Iran were confronted with rogue SSL certificates issued by DigiNotar. Even worse: we found evidence that some Iranians who used software designed to circumvent censorship and snooping on traffic were not protected against the massive man-in-the-middle attack," it said in a blog post. Last July, hackers managed to create rogue SSL certificates for hundreds of domain names, including google.com and even the entire .com top level domain by breaking into systems of Certification Authority DigiNotar in the Netherlands. Such rogue SSL certificates can be used in man-in-the-middle attacks where encrypted secure web traffic can be read by a third party. The rogue certificates were discovered Aug. 29. Trend Micro cited data that its Trend Micro Smart Protection Network collected over time and analyzed. Its analysis includes what domain names are accessed from what parts of the world at what time. For the domain validation.diginotar.nl, it saw a “very remarkable pattern" where it was mostly loaded by Dutch and Iranian Internet users until August 30, 2011. Domain name validation.diginotar.nl is used by Internet browsers to check the authenticity of SSL certificates that are issued by DigiNotar. “DigiNotar is a small Dutch Certification Authority with customers mainly in the Netherlands. We therefore expect that this domain name is requested by mostly Dutch Internet users and perhaps a handful of users from other countries. Not by a lot of Iranians," it said. On Aug. 28, Trend Micro noted “a significant part" of Internet users who loaded the SSL certificate verification URL of DigiNotar were from Iran. But on Aug. 30, most traffic from Iran disappeared and on September 2, 2011 about all of the Iranian traffic was gone and DigiNotar received mostly Dutch Internet users, as expected. “These aggregated statistics from Trend Micro Smart Protection Network clearly indicates that Iranian Internet users were exposed to a large scale man-in-the-middle attack, where SSL encrypted traffic can be decrypted by a third party," Trend Micro said. It said this could mean a third party probably was able to read all e-mail communication an Iranian Internet user has sent with his Gmail account. Even more alarming was that outgoing proxy nodes in the US of anti-censorship software made in California were sending web rating requests for validation.diginotar.nl to the cloud servers of Trend Micro. “Very likely this means that Iranian citizens, who were using this anti censorship software, were victims of the same man-in-the-middle attack. Their anti-censorship software should have protected them, but in reality their encrypted communications were probably snooped on by a third party," it said. — TJD, GMA News