Monday, August 29, 2011

Faked web certificate could have been used to attack Iran dissidents

Thank you for using rssforward.com! This service has been made possible by all our customers. In order to provide a sustainable, best of the breed RSS to Email experience, we've chosen to keep this as a paid subscription service. If you are satisfied with your free trial, please sign-up today. Subscriptions without a plan would soon be removed. Thank you!

Flaw could have let attackers steal passwords and data from apparently secure connections to Google sites such as Gmail

Security researchers are warning that a fake web certificate is being used that could let attackers steal passwords and data from apparently secure connections to Google sites such as Gmail.

Internet users in Iran are reckoned to be at particular risk from the faked SSL certificate, which is used to digitally "sign" https: connections to any google.com site and was issued by a Dutch company called Diginotar on 10 July. In particular, dissidents who trust Google's systems for their security may have been targeted in the attack.

Diginotar – which does not have any direct business relationship with Google – has not said who the certificate was issued to, but the effect would be that someone could think that they were logged securely into a site and that their communication would be encrypted; but instead attackers controlling the network could eavesdrop on all their keystrokes, including passwords. This is known as a "man in the middle", or "MITM", attack.

The first person to notice the fake certificate appears to be an Iranian user, who posted about it on a Google support forum, asking whether it was a "man in the middle" attack. The problem was observed on multiple internet service providers (ISPs) in Iran, leading to concerns that the government there might be using it to monitor dissidents and steal login details.

The user also noted that connections to google.com seemed to take a longer path than connections to youtube.com, yahoo.com and bing.com. The faked certificate did not seem to be in constant use: "I see this fake certificate only 30 minutes or one hour per day maybe they just test how sniff their users!" wrote the discoverer.

Microsoft on Monday night removed the certificate from its list of allowed certificates with its browsers. That should mean that users would get an "invalid certificate" warning if they try to log in to a Google sites which presents the faked certificate, in which case they should reject the connection.

The discovery marks the second time in five months that faked SSL certificates have been discovered circulating in the wild. In March, hackers cracked the systems used by the web certification company RSA and created a number of new, valid certificates for Google and for six other domains through a certification company called Comodo. The fake certificates were in use for eight days before being revoked from major browsers, and longer for email programs.

Both incidents have created growing concern among security researchers about the levels of trust that can be placed in SSL certification, which is used to create a "web of trust" in which certification companies can authorise multiple sites so that users can trust that their communications are untapped. The March hack against Comodo is thought to have been carried out by an Iranian hacking team.

The key weakness in the web certification system is that any company authorised to issue certificates can issue one which almost every browser will trust as being valid against any web property. Thus a Diginotar certificate for google.com would be trusted by almost every browser, even if a hacking attack meant that it had been issued to someone who was not working for Google.

"How many more Diginotar-issued fake certificates are out there that nobody has noticed?" said Mikko Hypponen, chief research officer at the Finnish security company F-Secure.

Users of the latest version of Google's Chrome browser would be have been safe from the attack in the past month because it uses a system called "pinning", in which it will reject certificates from any but a limited number of companies, which does not include Diginotar. But the Diginotar certificate was issued on 10 July, and the version of Chrome that would reject its certificate did not appear until 10 August, leaving a crucial window during which users would have been vulnerable to attack.

The Electronic Frontier Foundation said: "The certificate authority system was created decades ago in an era when the biggest online security concern was thought to be protecting users from having their credit card numbers intercepted by petty criminals. Today, internet users rely on this system to protect their privacy against nation-states. We doubt it can bear this burden."

The EFF says that certification authorities "have been caught issuing fraudulent certificates in at least half a dozen high-profile cases in the past two years" but that the concern over the latest is that it might have been used to spy on any number of Iranian users.


guardian.co.uk © Guardian News & Media Limited 2011 | Use of this content is subject to our Terms & Conditions | More Feeds


Ian Tucker 30 Aug, 2011


--
Source: http://www.guardian.co.uk/technology/2011/aug/30/faked-web-certificate-iran-dissidents
~
Manage subscription | Powered by rssforward.com

0 comments:

Post a Comment

Share

Twitter Delicious Facebook Digg Stumbleupon Favorites More