Fake DigiNotar web certificate risk to Iranians

Man using computer Iran was a heavy user of DigiNotar certificates around the time that fake certificates were created

Related Stories

Fresh evidence has emerged that stolen web security certificates may have been used to spy on people in Iran.

Analysis by Trend Micro suggests a spike in the number of compromised DigiNotar certificates being issued to the Islamic Republic.

It is believed the digital IDs were being used to trick computers into thinking they were directly accessing sites such as Google.

In reality, someone else may have been monitoring the communications.

Hundreds of bogus certificates are thought to have been generated following a hack on Netherlands-based DigiNotar.

The company is owned by US firm Vasco Data Security.

Web passport
Authentication certificate Authentication certificates are used to verify secure websites' identity

Authentication certificates are used by many websites to give their users secure access.

Typically these take the form of a TLS or SSL connection - which can be identified by the appearance of a padlock logo and "https" prefix.

Together, they are supposed to guarantee that the site is what it appears to be, and that the user's session is not being monitored.

Hundreds of bodies - known as certificate authorities (CAs) - are allowed to provide such authentication.

Web browsers, such as Safari, Chrome, Firefox and Internet Explorer have a built-in list of which CAs they can trust.

However, if a third-party was able to steal certificate details or generate their own, they may be able to launch a "man-in-the-middle" attack, similar to tapping a phone line.

The presence of an apparently genuine certificate means browser security would be unlikely to detect the surveillance.

Issued and revoked

On 19 July, Dutch CA DigiNotar detected an unauthorised intrusion into its systems.

The company immediately revoked a number of bogus certificates that had been created as a result.

It emerged later that some were missed, and other new ones generated, after the initial attack.

Diginotar certificate use

Unconfirmed information published online suggested that more than 500 false DigiNotar certificates exist.

Among the domains listed are Google, Facebook, Twitter and Skype.

At the same time, it was noticed that a sizeable portion of the Dutch company's certificates were mysteriously going to users in Iran.

By August, 76.5% of DigiNotar validations were in the Netherlands. 18.7% were in Iran and 4.8% elsewhere in the world, according to security firm Trend Micro.

Iranian activity dropped off after the certificates were revoked.

DigiNotar eventually went public about the intrusion on 30 August, at which time most web browsers stopped recognising DigiNotar certificates altogether.

Soft target

There are many reasons why Iran may have been targeted using the bogus certificates, according to security experts.

The republic's tight controls on dissent mean that monitoring web traffic could yield useful information.

Iran's internet setup also makes some types of interception easier, according to Rik Ferguson, Trend Micro's director of security research and communications.

"All the internet traffic has to go through an Iranian government proxy before it goes out to the final destination.

The internet's most used Certificate Authorities

  • Verisign
  • GoDaddy
  • Comodo
  • Network Solutions
  • Entrust
  • GlobalSign
  • AmbironTrustWave

Source: Netcraft

"If you want to spy on normal HTTP traffic, that is not a problem - you get to see all the outbound requests and all the inbound responses," he explained.

For secure websites, attempts to intercept would ring alarm bells with the web browser and therefore the user.

One option is to make the Iranian national proxy server look like it is the target website - using a fake DigiNotar certificate.

The proxy then relays information to and from the real website, e.g. Google.com, but there is no indication that the secure chain has been broken.

Government involvement?

While much online debate has centred around the role of the Iranian authorities, there is no firm evidence to support such a theory.

However, a spokesman for the Dutch Interior Ministry, Vincent van Steen told the Netherland's-based ANP news agency that the cabinet was looking into claims of Iranian government involvement.

Iran has previously been on the receiving end of cyber attacks, including the elaborate Stuxnet conspiracy which enabled a computer worm to take control of machinery in a uranium enrichment plant.

The DigiNotar incident has also raised broader concerns about the security of the global certificate authorisation system.

"The more there are, the more opportunities there are to attack the system," said Paul Mutton, a security analyst from Netcraft.

"Whenever there is a certificate authority that is trusted by all the mainstream web browsers, if someone was to compromise them it is just as bad as compromising the largest CA."

Alternatives to the current system have been suggested, including one by former hacker Moxie Marlinspike, known as Convergence, which verifies site authenticity by checking with multiple online "notaries".

More on This Story

Related Stories

The BBC is not responsible for the content of external Internet sites

More Technology stories

RSS

Features & Analysis

  • French luxury Tea House, Mariage Freres display of tea pots Tea for tu

    France falls back in love with tea - but don't expect a British cuppa


  • Woman in swimming pool Green stuff

    The element that makes a familiar smell when mixed with urine


  • People take part in an egg-cracking contest in the village of Mokrin, 120km (75 miles) north of Belgrade, Serbia on 20 April 2014In pictures

    Images from around the world as Christians mark Easter Sunday


  • Female model's bottom in leopard skin trousers as she walks up the catwalkBum deal

    Why budget buttock ops can be bad for your health


Elsewhere on the BBC

  • ITChild's play

    It's never been easier for small businesses to get their message out to the world

Programmes

  • An aerial shot shows the Olympic Stadium, which is closed for repair works on its roof, in Rio de Janeiro March 28, 2014.Extra Time Watch

    Will Rio be ready in time to host the Olympics in 2016? The IOC president gives his verdict

BBC © 2014 The BBC is not responsible for the content of external sites. Read more.

This page is best viewed in an up-to-date web browser with style sheets (CSS) enabled. While you will be able to view the content of this page in your current browser, you will not be able to get the full visual experience. Please consider upgrading your browser software or enabling style sheets (CSS) if you are able to do so.