One of the big discussions points this week is about a wildcard cert for Google that has leaked out from a Dutch company called DigiNotar. The certificate is good for all Google domains – it’s a *.google.com cert.
This is bad news and apparently has been in the wild for a while, some people are linking to deaths in Iran as the cert could be used to hijack Gmail accounts using a MITM attack.
If you want to check out the cert directly, you can do so here:
Gmail.com SSL MITM ATTACK BY Iranian Government – 27/8/2011
The story seems to originate here where a user in Iran noticed a MITM was being perpetrated on him – probably by his own ISP or government.
Is This MITM Attack to Gmail’s SSL ?
Hackers have obtained a digital certificate good for any Google website from a Dutch certificate provider, a security researcher said today. Criminals could use the certificate to conduct “man-in-the-middle” attacks targeting users of Gmail, Google’s search engine or any other service operated by the Mountain View, Calif. company.
“This is a wildcard for any of the Google domains,” said Roel Schouwenberg, senior malware researcher with Kaspersky Lab, in an email interview Monday.
“[Attackers] could poison DNS, present their site with the fake cert and bingo, they have the user’s credentials,” said Andrew Storms, director of security operations at nCircle Security.
Man-in-the-middle attacks could also be launched via spam messages with links leading to a site posing as, say, the real Gmail. If recipients surfed to that link, their account login username and password could be hijacked. Details of the certificate were posted on Pastebin.com last Saturday. Pastebin.com is a public site where developers — including hackers — often post source code samples.
According to Schouwenberg, the SSL (secure socket layer) certificate is valid, and was issued by DigiNotar, a Dutch certificate authority, or CA. DigiNotar was acquired earlier this year by Chicago-based Vasco, which bills itself on its site as “a world leader in strong authentication.”
Vasco did not reply to a request for comment.
The cert is valid, which is scary. One thing which is currently unknown is how the cert got out there, if it was a hack or a leak or someone from the outside got access to the DigiNotar CA.
If you want more technical details on how to verify the cert, you can check this out:
Internet death sentence for DigiNotar’s Root CA!
Security researcher and Tor developer Jacob Applebaum confirmed that the certificate was valid in an email answer to Computerworld questions, as did noted SSL researcher Moxie Marlinspike on Twitter. “Yep, just verified the signature, that pastebin *.google.com certificate is real,” said Marlinspike .
Because the certificate is valid, a browser would not display a warning message if its user went to a website signed with the certificate.
It’s unclear whether the certificate was obtained because of a lack of oversight by DigiNotar or through a breach of the company’s certificate issuing website.
Schouwenberg urged the company to provide more information as soon as possible.
“Given their ties to the government and financial sectors it’s extremely important we find out the scope of the breach as quickly as possible,” Schouwenberg said. The situation was reminiscent of a breach last March, when a hacker obtained certificates for some of the Web’s biggest sites, including Google and Gmail, Microsoft, Skype and Yahoo.
Then, Comodo said that nine certificates had been fraudulently issued after attackers used an account assigned to a company partner in southern Europe.
Initially, Comodo argued that Iran’s government may have been involved in the theft. Days later, however, a solo Iranian hacker claimed responsibility for stealing the SSL certificates.
Today, Kaspersky’s Schouwenberg said “nation-state involvement is the most plausible explanation” for the acquisition of the DigiNotar-issued certificate.
Google have also mentioned in on their security blog here:
Today we received reports of attempted SSL man-in-the-middle (MITM) attacks against Google users, whereby someone tried to get between them and encrypted Google services. The people affected were primarily located in Iran. The attacker used a fraudulent SSL certificate issued by DigiNotar, a root certificate authority that should not issue certificates for Google (and has since revoked it).
An update on attempted man-in-the-middle attacks
There was also quick action taken by both Mozilla and Microsoft.
It’s been pretty quiet really to say this is really a major issue, I hope more details come out about how this occurred. If you are using Firefox there are instructions on how to delete/distrust the DigiNotar CA here.
Source: Network World