Iran link to fraudulent digital certificates?

This screenshot shows the warning the user got when attempting to log into Gmail.

This screenshot shows the warning the user got when attempting to log into Gmail.
This screenshot shows the warning the user reportedly got when attempting to log in to Gmail.

A Dutch company appears to have issued a digital certificate for Google.com to someone other than Google, who may be using it to try to re-direct traffic of users based in Iran.

Yesterday, someone reported on a Google support site that when attempting to log in to Gmail the browser issued a warning for the digital certificate used as proof that the site is legitimate, according to this thread on a Google support forum site.

"Today, when I tried to login to my Gmail account I saw a certificate warning in Chrome," someone using the screen name "alibo" wrote. "I think my ISP or my government did this attack (because I live in Iran and you may hear something about the story of Comodo hacker!)" Alibo then posted a screenshot and the text of the certificate. The screenshot page was not accessible.

In this case the browser of the person reporting the problem warned that there was a problem with the digital certificate. However, it's unclear what triggered the warning and other browsers may not. In that event, a user could end up on a site that purports to be google.com but isn't.

CNET verified that the digital certificate is fraudulent. This Pastebin post details how to verify that a certificate is real and notes that it was issued in July.

The certificate was issued by DigiNotar, based in the Netherlands. Representatives from the company did not immediately respond to an e-mail seeking comment today and an automated message said the offices were closed for the night and offered no voice-mail option. A phone call and e-mail to Vasco Data Security, parent company of DigiNotar, were not immediately returned.

The situation is similar to one that happened in March in which spoofed certificates were found involving Google, Yahoo, Microsoft, and other major sites and they were traced back to Iran. In that case, the fraudulent digital certificates were acquired through reseller partners of certificate authority Comodo.

These attacks illustrate a fundamental weakness with the current Web site authentication system in which third parties issue certificates that prove that a Web site is legitimate when making an "https://" connection. The list of certificate issuers has ballooned over the years to approximately 650 organizations, which may not always follow the strictest security procedures. And each one has a copy of the Web's master keys. There is no automated process to revoke fraudulent certificates, nor is there a public list of certificates that companies like Comodo have issued, or even which of its resellers or partners have been given a duplicate set of the master keys. And there are no mechanisms to prevent fraudulent certificates for Yahoo Mail or Gmail from being issued by compromised companies, or repressive regimes bent on surveillance.

Today's system gives browser makers tremendous responsibility. Any list of so-called certificate authorities they include will be trusted by billions of Web browsers around the world, unless users take the time to change the settings.

Update 1:45 p.m. PT: Added details about the browser warning, and about CNET attempts to reach Vasco Data Security.

CNET's Declan McCullagh contributed to this report.

Comments