Certificate authority confirms hack after Gmail attack

Security

Certificate authority DigiNotar today confirmed the fake security credential used to carry out man in the middle (MITM) attacks targeting Gmail users was obtained during a hack.

An Iranian Gmail user claimed to have found evidence of a fake SSL certificate for Google services. Such fake certificates can be used to intercept end user web interactions with an MITM attack or set up spoof websites to steal people's data.

There may well be other certificates like this out there that we don't know about. That means almost all internet users are still vulnerable to this sort of attack.

The fake credentials were authorised by DigiNotar after the company's Certificate Authority (CA) infrastructure was hacked. The firm thought it had removed all of the fraudulent certificates from the internet, but it has now become apparent not all were taken offline.

"The company will take every possible precaution to secure its SSL and EVSSL certificate offering, including temporarily suspending the sale of its SSL and EVSSL certificate offerings," a message from DigiNotar's parent company Vasco Data Security International.

"The company will only restart its SSL and EVSSL certificate activities after thorough additional security audits by third party organisations."

DigiNotar warned it was not just Google.com which was affected.

Concerns over timing have been raised as well. DigiStor said it became aware of an intrusion on 19 July, yet the fake certificate for the Google service was issued on 10 July. This means the fraudulent certificate has been in the wild for some time.

The incident was only highlighted by a user going by the name of Alibo, who, thanks to a new feature in Google Chrome, was made aware of the fake certificate via a warning. Alibo claimed the attack was carried out by either his ISP or the Iranian Government, but there is no solid evidence of this.

Certificates are supposed to act as a guarantee that the information a user is accessing and sending is only viewed by safe, recognised parties. This case has again highlighted flaws in the CA system, which relies on the trust of such security credentials and the competency of certificate authorities, of which there are around 600.

Earlier this year, certificate authority Comodo was hacked and credentials for sites including login.live.com, mail.google.com, www.google.com, login.skype.com and login.yahoo.com were issued.

Digital rights campaigner the Electronic Frontier Foundation (EFF) said this was the first time a fake certificate has successfully been used in the wild, making it especially concerning.

"The certificate authority system was created decades ago in an era when the biggest online security concern was thought to be protecting users from having their credit card numbers intercepted by petty criminals," the EFF said.

"Today internet users rely on this system to protect their privacy against nation states. We doubt it can bear this burden."

Google, Microsoft and Mozilla have all removed DigiStor from their trusted certificate authority lists. This means websites using certificates from DigiStor will not be accessible via Chrome, Mozilla or from any browser running on Windows Vista and above.

Despite the actions of the big vendors, there are still big concerns over the implications of this particular security event.

"The good news is that the computer security community is now taking this threat very seriously. Unfortunately, the bad news is spectacularly bad: users in Iran (or on any network where an eavesdropper had the key to this certificate) may have been vulnerable for two months," the EFF added.

"What's more, there are hundreds of certificate authorities in dozens of jurisdictions, and several have been tricked into issuing false certificates. So there may well be other certificates like this out there that we don't know about. That means almost all internet users are still vulnerable to this sort of attack."

Tom Brewster

Tom Brewster is currently an associate editor at Forbes and an award-winning journalist who covers cyber security, surveillance, and privacy. Starting his career at ITPro as a staff writer and working up to a senior staff writer role, Tom has been covering the tech industry for more than ten years and is considered one of the leading journalists in his specialism.

He is a proud alum of the University of Sheffield where he secured an undergraduate degree in English Literature before undertaking a certification from General Assembly in web development.