Did The Iranian Gov't Try To Create A Massive Man-In-The-Middle Attack With Faked Certificates?

from the getting-sophisticated dept

Thu, Mar 24th 2011 2:46pm — Mike Masnick

A few months back, we talked about how the Tunisian government tried to do a massive hack on Facebook to access the communications of protesters and activists. It looks like the Iranian government tried to do something similar, figuring out a way to get bogus SSL certificates for Google, Yahoo, Skype and others, which would have allowed the government to set up a man-in-the-middle type attack to get passwords and access otherwise "encrypted" content. While this was discovered, it does suggest the levels that some governments will go to in order to spy on users online. More importantly, it highlights some of the serious problems with the certificate authority model of trust and security online. So here's the big question: how do we prevent these types of things from happening?

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: certificates, iran, man in the middle, security, ssl, trust

24 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Anonymous Coward, 24 Mar 2011 @ 2:59pm

Q: how do we prevent these types of things from happening?

A: don't live in Iran
[ link to this | view in chronology ]
- Anonymous Coward, 24 Mar 2011 @ 3:33pm
  
  Re:
  Not really an option since to whatever country you go, they also have the same capabilities and if the CA authority is in the country in question then you probably are better of inside Iran in that case concerning your privacy.
  [ link to this | view in chronology ]
Anonymous Coward, 24 Mar 2011 @ 2:59pm

sneaker net!
[ link to this | view in chronology ]
- Qritiqal (profile), 24 Mar 2011 @ 3:42pm
  
  Re:
  Never underestimate the bandwidth of a truckload of tapes!
  [ link to this | view in chronology ]
  - Anonymous Coward, 24 Mar 2011 @ 3:55pm
    
    Re: Re:
    Hmmm...I much prefer USB HDD stands.
    
    http://i01.i.aliimg.com/photo/v1/362919873/USB_3_0_SATA_HDD_Stand_Hard.jpg
    
    2 TB at in a slim form factor.
    [ link to this | view in chronology ]
Anonymous Coward, 24 Mar 2011 @ 3:09pm

Use a wonderful distributed DNS system where almost anyone can inject stuff without checking. That will surely help!
[ link to this | view in chronology ]
- Steven (profile), 24 Mar 2011 @ 3:21pm
  
  Re:
  Which has absolutely nothing to do with this.
  [ link to this | view in chronology ]
- :Lobo Santo (profile), 24 Mar 2011 @ 3:22pm
  
  Re:
  Thanx AC. That is not only helpful but also imaginative and insightful. ^_^
  
  Without a doubt, there is nobody anywhere who could ever think of a way to provide a secure exchange of data in a world where distributed DNS is more prevalent than it is today.
  
  /sarc
  [ link to this | view in chronology ]
- Anonymous Coward, 24 Mar 2011 @ 3:35pm
  
  Re:
  Look at BitCoin and Osiris SPS and how they solved those issues.
  
  BitCoin is even used for anonymous financial transactions in the real world.
  [ link to this | view in chronology ]
Mohammed Al zamil, 24 Mar 2011 @ 3:20pm

I expect every thing
From Iran you can Expect anything they live on the dirty and destroy their neighbour, I live in Iraq and Know this kind of people what they are
[ link to this | view in chronology ]
Steven (profile), 24 Mar 2011 @ 3:21pm

This is probably one of the legitimate 'flaws' of the way the internet is structured. It's essentially defaulted to trust. But that 'flaw' is also the major strength of the internet.

There is alot you can do to secure communication between two known parties. It gets significantly more difficult to ensure that the server you've connected to is who you think it is.

The existing model is actually pretty good (as we don't hear about this thing all that often).
[ link to this | view in chronology ]
Anonymous Coward, 24 Mar 2011 @ 3:28pm

There are solutions for specific situations but I doubt it would scale to the entire interwebz.

The best would be to use an secure overlay like Retroshare, TOR, GNUNET or Herbivore.

SSL is just not that secure with governments they have the resources to get in.
[ link to this | view in chronology ]
techinabox (profile), 24 Mar 2011 @ 4:00pm

I am pretty sure this can't be prevented. If you can get a Certificate Authority to issue a certificate for a domain then 99.99% of people won't be able to tell if the certification is legit or not. Most people couldn't tell the difference between certs issues by Verisign, Thawte, Startcom, or Comodo if they were shown the information and even those who could would still be hard pressed to guess which CA a website is using. I know Google uses Thawte and PayPal uses Verisign but that is it. CAs just need to keep up with their security I suppose.
[ link to this | view in chronology ]
- Anonymous Coward, 25 Mar 2011 @ 2:01am
  
  Re:
  The 9 certificates that were issued were legitimate. Until they were revoked no one could have known. Once revoked, OCSP operating in your browser would take care of checking to see if they were on the revocation list. What I think you're referring to is how people react when they see a notice that the certificate of a website has expired or has been revoked. Do you ignore it?
  [ link to this | view in chronology ]
  - techinabox (profile), 25 Mar 2011 @ 8:11am
    
    Re: Re:
    What I mean is that the Certs in question were from Comodo but Google uses Thawte Certs, Yahoo uses DigiCert Certs, etc. So while the Certs acquired from Comodo were "real" they were not legitimate.
    [ link to this | view in chronology ]
GeneralFault, 24 Mar 2011 @ 4:26pm

Blacklist CA's
Perhaps one way to solve the problem at least in the short-term is to start getting the word out about CA's that are untrustworthy due to unethical behavior (such as issuing fake certs for governments). Users have the option of removing these CA's from their local cert stores. Perhaps if someone gets ambitious, they could create a service to do this for the "average user". Perhaps we should push Google, Firefox, Microsoft, McAfee, AVG and other Browser, OS, anti-virus and security application developers to build such a service into their products. Let the "market" take care of the problem.
[ link to this | view in chronology ]
- Anonymous Coward, 24 Mar 2011 @ 5:18pm
  
  Re: Blacklist CA's
  Get me a list of untrustworthy CAs and I'll build an app that does it. Maybe Google will buy me and I'll be rich....that'd be nice.
  [ link to this | view in chronology ]
Anonymous Coward, 24 Mar 2011 @ 4:48pm

There's no evidence implicating the Iranian government
At least: not yet.

Any hacker worthy of the title is quite capable of launching their attack from zombies located anywhere...and zombies are everywhere, not just on consumer networks, but on corporate, educational, and governmental networks.

Some of the best discussion on this is happening on the NANOG list.
[ link to this | view in chronology ]
- The Devil's Coachman (profile), 24 Mar 2011 @ 4:59pm
  
  Re: There's no evidence implicating the Iranian government
  Just the same, it's more expedient to blame them, bomb them, and bury them. Except for higher prices for pistachios, their demise will go largely unnoticed.
  [ link to this | view in chronology ]
Chris in Utah (profile), 24 Mar 2011 @ 6:22pm

Just downloaded a windows update about this yesterday. Funny that.
[ link to this | view in chronology ]
Axel Simon (profile), 24 Mar 2011 @ 7:13pm

Monkey Sphere
I'm surprised nobody's mentioned the Monkeysphere project in this discussion.

There are two ways to set up a trust model from what I gather: either trust an authority, or use a web of trust.

It appears the authority based model is not working at this point, so the alternative is the web of trust model.

To quote the Monkeysphere page:
�The Monkeysphere project's goal is to extend OpenPGP's web of trust to new areas of the Internet to help us securely identify servers we connect to(�)�
http://web.monkeysphere.info/

From that point, you can set different trust levels to different peers, the way you can in OpenPGP.

Oh, and maybe worth noting, you can also delete Certificate Authorities in Firefox (and others I guess).

Might make sense to only keep the ones you think *might* be doing their job of selling ones and zeros better than the others.
[ link to this | view in chronology ]
Anonymous Coward, 24 Mar 2011 @ 8:11pm

Now we should probably hope that they don't block revokation URL and Microsoft's patch yesterday on "transparent proxy" level, or their "fake e-cert" will continue to work.
[ link to this | view in chronology ]
Anonymous Coward, 25 Mar 2011 @ 12:37am

The twitter user @ioerror has created a project on github called crlwatch. Worth checking out.
[ link to this | view in chronology ]
- Anonymous Coward, 25 Mar 2011 @ 12:38am
  
  Response to: Anonymous Coward on Mar 25th, 2011 @ 12:37am
  Forgot to mention that @ioerror also works on Tor.
  [ link to this | view in chronology ]