Rogue Google SSL certificate allowed MITM Gmail attacks
Posted on 30 August 2011.
Recently discovered attempts of an SSL man-in-the-middle attack against Google users - spotted by a number of Iranian Internet users - have revealed that Dutch Certificate Authority DigiNotar has issued an SSL certificate for all *.google.com domains on July 10.

The forged certificate has been revoked only yesterday, which means that whoever was behind these attacks had the ability to trick users into believing that they were securely accessing any of the SSL-based Google services for more than a month.

Speculations abound about who might be behind the attacks, and given that Iranian users have seemingly been particularly targeted, it is believed by some that the Iranian government is the culprit - especially because this type of attack can usually be successfully executed only if the attacker has a measure of control over the network.

The second reason to suspect them is the fact that the forged certificate was issued for Google and its services, and Gmail is often used by political dissidents all over the world.

The attack was spotted thanks to a Chrome warning that popped up for Iranian user that uses the Chrome browser when he tried to login to his Gmail account. The warning was shown because of a new security feature introduced in Chrome 13. Called certificate pinning, it makes it so that when forcing HTTPS for a domain, only a more trusted subset of CAs are permitted to identify it.

Since DigiNotar has yet to reveal how the rogue certificate has been issued - Was it tricked into doing it? Was it and its root certificate compromised? - and since many browsers do not automatically check for revoked certificates, Microsoft, Mozilla and Google have taken steps to prevent further attacks.

According to Sophos, Mozilla has announced the release of new versions of their browser, mail client and Internet suite in which trust of DigiNotar's root certificate will be revoked.

Microsoft has decided to remove the DigiNotar root certificate from the Microsoft Certificate Trust List, and to release a future update to address this issue for all supported editions of Windows XP and Windows Server 2003. Google has also marked DigiNotar as untrusted in the upcoming release of the Chrome OS.

As with the compromise of a Comodo affiliate Registration Authority and the consequent issuing of rogue SSL certificates issued for a number of high-profile sites back in March, this incidents agains shows that the current CA infrastructure is inherently faulty and not worthy of being trusted, and that we need another solution for the Internet authentication problem.






Spotlight

The role of the cloud in the modern security architecture

Posted on 31 July 2014.  |  Stephen Pao, General Manager, Security Business at Barracuda Networks, offers advice to CISOs concerned about moving the secure storage of their documents into the cloud and discusses how the cloud shaping the modern security architecture.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Fri, Aug 1st
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //