Fake DigiNotar web certificate risk to Iranians

Man using computer Iran was a heavy user of DigiNotar certificates around the time that fake certificates were created

Related Stories

Fresh evidence has emerged that stolen web security certificates may have been used to spy on people in Iran.

Analysis by Trend Micro suggests a spike in the number of compromised DigiNotar certificates being issued to the Islamic Republic.

It is believed the digital IDs were being used to trick computers into thinking they were directly accessing sites such as Google.

In reality, someone else may have been monitoring the communications.

Hundreds of bogus certificates are thought to have been generated following a hack on Netherlands-based DigiNotar.

The company is owned by US firm Vasco Data Security.

Web passport
Authentication certificate Authentication certificates are used to verify secure websites' identity

Authentication certificates are used by many websites to give their users secure access.

Typically these take the form of a TLS or SSL connection - which can be identified by the appearance of a padlock logo and "https" prefix.

Together, they are supposed to guarantee that the site is what it appears to be, and that the user's session is not being monitored.

Hundreds of bodies - known as certificate authorities (CAs) - are allowed to provide such authentication.

Web browsers, such as Safari, Chrome, Firefox and Internet Explorer have a built-in list of which CAs they can trust.

However, if a third-party was able to steal certificate details or generate their own, they may be able to launch a "man-in-the-middle" attack, similar to tapping a phone line.

The presence of an apparently genuine certificate means browser security would be unlikely to detect the surveillance.

Issued and revoked

On 19 July, Dutch CA DigiNotar detected an unauthorised intrusion into its systems.

The company immediately revoked a number of bogus certificates that had been created as a result.

It emerged later that some were missed, and other new ones generated, after the initial attack.

Diginotar certificate use

Unconfirmed information published online suggested that more than 500 false DigiNotar certificates exist.

Among the domains listed are Google, Facebook, Twitter and Skype.

At the same time, it was noticed that a sizeable portion of the Dutch company's certificates were mysteriously going to users in Iran.

By August, 76.5% of DigiNotar validations were in the Netherlands. 18.7% were in Iran and 4.8% elsewhere in the world, according to security firm Trend Micro.

Iranian activity dropped off after the certificates were revoked.

DigiNotar eventually went public about the intrusion on 30 August, at which time most web browsers stopped recognising DigiNotar certificates altogether.

Soft target

There are many reasons why Iran may have been targeted using the bogus certificates, according to security experts.

The republic's tight controls on dissent mean that monitoring web traffic could yield useful information.

Iran's internet setup also makes some types of interception easier, according to Rik Ferguson, Trend Micro's director of security research and communications.

"All the internet traffic has to go through an Iranian government proxy before it goes out to the final destination.

The internet's most used Certificate Authorities

  • Verisign
  • GoDaddy
  • Comodo
  • Network Solutions
  • Entrust
  • GlobalSign
  • AmbironTrustWave

Source: Netcraft

"If you want to spy on normal HTTP traffic, that is not a problem - you get to see all the outbound requests and all the inbound responses," he explained.

For secure websites, attempts to intercept would ring alarm bells with the web browser and therefore the user.

One option is to make the Iranian national proxy server look like it is the target website - using a fake DigiNotar certificate.

The proxy then relays information to and from the real website, e.g. Google.com, but there is no indication that the secure chain has been broken.

Government involvement?

While much online debate has centred around the role of the Iranian authorities, there is no firm evidence to support such a theory.

However, a spokesman for the Dutch Interior Ministry, Vincent van Steen told the Netherland's-based ANP news agency that the cabinet was looking into claims of Iranian government involvement.

Iran has previously been on the receiving end of cyber attacks, including the elaborate Stuxnet conspiracy which enabled a computer worm to take control of machinery in a uranium enrichment plant.

The DigiNotar incident has also raised broader concerns about the security of the global certificate authorisation system.

"The more there are, the more opportunities there are to attack the system," said Paul Mutton, a security analyst from Netcraft.

"Whenever there is a certificate authority that is trusted by all the mainstream web browsers, if someone was to compromise them it is just as bad as compromising the largest CA."

Alternatives to the current system have been suggested, including one by former hacker Moxie Marlinspike, known as Convergence, which verifies site authenticity by checking with multiple online "notaries".

More on This Story

Related Stories

The BBC is not responsible for the content of external Internet sites

More Technology stories

RSS

Features & Analysis

  • An ant and a humanAnts v humans

    Do all the world's ants really weigh as much as all the humans?


  • Tattooed person using tabletRogue ink

    People who lost their jobs because of their tattoos


  • Deepika PadukoneBeauty and a tweet

    Bollywood cleavage row shows India's 'crass' side


  • Indian coupleSuspicious spouses

    Is your sweetheart playing away? Call Delhi's wedding detective


Elsewhere on the BBC

  • GeoguessrWhere in the world...?

    Think you are a geography expert? Test your knowledge with BBC Travel’s interactive game

Programmes

  • StudentsClick Watch

    Could a new social network help tailor lessons to students’ needs and spot when they fall behind?

BBC © 2014 The BBC is not responsible for the content of external sites. Read more.

This page is best viewed in an up-to-date web browser with style sheets (CSS) enabled. While you will be able to view the content of this page in your current browser, you will not be able to get the full visual experience. Please consider upgrading your browser software or enabling style sheets (CSS) if you are able to do so.