Big Brother Watching Iran's Google Users?
This week a user of Google's services in Iran noticed that Chrome was warning him against visitng certain Google sites. The user, "Alibo," posted his concerns on Google's support forum.
In a blog post Google said the fake certificate, supposedly issued by a Dutch certification authority called DigiNotar, was part of a "man in the middle" attack. Often abbreviated MITM, such attacks are when a hacker tries to get in between a user and an encrypted or secure service. For example, a hacker could have his system issue a digital certificate -- a "signature" that authenticates a site -- and fool a user into thinking that their communications were securely encrypted when in fact they aren't. Certificates are issued by companies that are trusted, and a "web of trust" is set up for multiple sites. But those companies can be attacked by hackers.
In this case, a digital certificate that was supposed to have been issued by DigiNotar was a fake, the result of a hacking attack on Digitar's systems back in July, which allowed the hackers to generate their own certificates. DigiNotar issued a statement that the fraudulently issued certificates have been revoked. But one was still out there and later, DigiNotar said several dozen certificates had been issued by hackers.
That was what Alibo found when his browser, Google's Chrome, warned him. The hack seemed to affect users mostly in Iran, and led Alibo to ask if it might be an Iranian government effort to gather information on Internet users there.
A similar incident occurred in March, when Comodo Group, an American Internet security company, said that hackers had issued several digital certificates for sites such as google.com and mail.google.com. The company originally thought the attack that compromised the user account of a registration authority was from the Iranian govenrment, but later a lone hacker (who happened to be Iranian) claimed credit. In the DigiNotar case there doesn't seem to be any hard evidence who it was.
Roel Schouwenberg, senior researcher at Kaspersky Lab, says the rogue certificates have all the marks of an intelligence operation, but it isn't clear whether that is the case here. "They're after Google credentials, most likely for gmail specifically. This way emails can be read/written. Also, the nature of the attack requires a certain control over the network/internet. This would entail cooperation at an ISP. As such, a government attack is the most plausible explanation," he wrote in an email.