Did The Iranian Gov't Try To Create A Massive Man-In-The-Middle Attack With Faked Certificates?

from the getting-sophisticated dept

A few months back, we talked about how the Tunisian government tried to do a massive hack on Facebook to access the communications of protesters and activists. It looks like the Iranian government tried to do something similar, figuring out a way to get bogus SSL certificates for Google, Yahoo, Skype and others, which would have allowed the government to set up a man-in-the-middle type attack to get passwords and access otherwise “encrypted” content. While this was discovered, it does suggest the levels that some governments will go to in order to spy on users online. More importantly, it highlights some of the serious problems with the certificate authority model of trust and security online. So here’s the big question: how do we prevent these types of things from happening?

Filed Under: , , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Did The Iranian Gov't Try To Create A Massive Man-In-The-Middle Attack With Faked Certificates?”

Subscribe: RSS Leave a comment
Steven (profile) says:

This is probably one of the legitimate ‘flaws’ of the way the internet is structured. It’s essentially defaulted to trust. But that ‘flaw’ is also the major strength of the internet.

There is alot you can do to secure communication between two known parties. It gets significantly more difficult to ensure that the server you’ve connected to is who you think it is.

The existing model is actually pretty good (as we don’t hear about this thing all that often).

techinabox (profile) says:

I am pretty sure this can’t be prevented. If you can get a Certificate Authority to issue a certificate for a domain then 99.99% of people won’t be able to tell if the certification is legit or not. Most people couldn’t tell the difference between certs issues by Verisign, Thawte, Startcom, or Comodo if they were shown the information and even those who could would still be hard pressed to guess which CA a website is using. I know Google uses Thawte and PayPal uses Verisign but that is it. CAs just need to keep up with their security I suppose.

Anonymous Coward says:

Re: Re:

The 9 certificates that were issued were legitimate. Until they were revoked no one could have known. Once revoked, OCSP operating in your browser would take care of checking to see if they were on the revocation list. What I think you’re referring to is how people react when they see a notice that the certificate of a website has expired or has been revoked. Do you ignore it?

GeneralFault (user link) says:

Blacklist CA's

Perhaps one way to solve the problem at least in the short-term is to start getting the word out about CA’s that are untrustworthy due to unethical behavior (such as issuing fake certs for governments). Users have the option of removing these CA’s from their local cert stores. Perhaps if someone gets ambitious, they could create a service to do this for the “average user”. Perhaps we should push Google, Firefox, Microsoft, McAfee, AVG and other Browser, OS, anti-virus and security application developers to build such a service into their products. Let the “market” take care of the problem.

Anonymous Coward says:

There's no evidence implicating the Iranian government

At least: not yet.

Any hacker worthy of the title is quite capable of launching their attack from zombies located anywhere…and zombies are everywhere, not just on consumer networks, but on corporate, educational, and governmental networks.

Some of the best discussion on this is happening on the NANOG list.

Axel Simon (profile) says:

Monkey Sphere

I’m surprised nobody’s mentioned the Monkeysphere project in this discussion.

There are two ways to set up a trust model from what I gather: either trust an authority, or use a web of trust.

It appears the authority based model is not working at this point, so the alternative is the web of trust model.

To quote the Monkeysphere page:
?The Monkeysphere project’s goal is to extend OpenPGP’s web of trust to new areas of the Internet to help us securely identify servers we connect to(?)?

From that point, you can set different trust levels to different peers, the way you can in OpenPGP.

Oh, and maybe worth noting, you can also delete Certificate Authorities in Firefox (and others I guess).

Might make sense to only keep the ones you think *might* be doing their job of selling ones and zeros better than the others.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...