Did The Iranian Gov't Try To Create A Massive Man-In-The-Middle Attack With Faked Certificates?

from the getting-sophisticated dept

A few months back, we talked about how the Tunisian government tried to do a massive hack on Facebook to access the communications of protesters and activists. It looks like the Iranian government tried to do something similar, figuring out a way to get bogus SSL certificates for Google, Yahoo, Skype and others, which would have allowed the government to set up a man-in-the-middle type attack to get passwords and access otherwise "encrypted" content. While this was discovered, it does suggest the levels that some governments will go to in order to spy on users online. More importantly, it highlights some of the serious problems with the certificate authority model of trust and security online. So here's the big question: how do we prevent these types of things from happening?


Reader Comments (rss)

(Flattened / Threaded)

  •  
    identicon
    Anonymous Coward, Mar 24th, 2011 @ 2:59pm

    Q: how do we prevent these types of things from happening?

    A: don't live in Iran

     

    reply to this | link to this | view in chronology ]

    •  
      identicon
      Anonymous Coward, Mar 24th, 2011 @ 3:33pm

      Re:

      Not really an option since to whatever country you go, they also have the same capabilities and if the CA authority is in the country in question then you probably are better of inside Iran in that case concerning your privacy.

       

      reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Mar 24th, 2011 @ 2:59pm

    sneaker net!

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Mar 24th, 2011 @ 3:09pm

    Use a wonderful distributed DNS system where almost anyone can inject stuff without checking. That will surely help!

     

    reply to this | link to this | view in chronology ]

    •  
      icon
      Steven (profile), Mar 24th, 2011 @ 3:21pm

      Re:

      Which has absolutely nothing to do with this.

       

      reply to this | link to this | view in chronology ]

    •  
      icon
      :Lobo Santo (profile), Mar 24th, 2011 @ 3:22pm

      Re:

      Thanx AC. That is not only helpful but also imaginative and insightful. ^_^

      Without a doubt, there is nobody anywhere who could ever think of a way to provide a secure exchange of data in a world where distributed DNS is more prevalent than it is today.

      /sarc

       

      reply to this | link to this | view in chronology ]

    •  
      identicon
      Anonymous Coward, Mar 24th, 2011 @ 3:35pm

      Re:

      Look at BitCoin and Osiris SPS and how they solved those issues.

      BitCoin is even used for anonymous financial transactions in the real world.

       

      reply to this | link to this | view in chronology ]

  •  
    identicon
    Mohammed Al zamil, Mar 24th, 2011 @ 3:20pm

    I expect every thing

    From Iran you can Expect anything they live on the dirty and destroy their neighbour, I live in Iraq and Know this kind of people what they are

     

    reply to this | link to this | view in chronology ]

  •  
    icon
    Steven (profile), Mar 24th, 2011 @ 3:21pm

    This is probably one of the legitimate 'flaws' of the way the internet is structured. It's essentially defaulted to trust. But that 'flaw' is also the major strength of the internet.

    There is alot you can do to secure communication between two known parties. It gets significantly more difficult to ensure that the server you've connected to is who you think it is.

    The existing model is actually pretty good (as we don't hear about this thing all that often).

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Mar 24th, 2011 @ 3:28pm

    There are solutions for specific situations but I doubt it would scale to the entire interwebz.

    The best would be to use an secure overlay like Retroshare, TOR, GNUNET or Herbivore.

    SSL is just not that secure with governments they have the resources to get in.

     

    reply to this | link to this | view in chronology ]

  •  
    icon
    techinabox (profile), Mar 24th, 2011 @ 4:00pm

    I am pretty sure this can't be prevented. If you can get a Certificate Authority to issue a certificate for a domain then 99.99% of people won't be able to tell if the certification is legit or not. Most people couldn't tell the difference between certs issues by Verisign, Thawte, Startcom, or Comodo if they were shown the information and even those who could would still be hard pressed to guess which CA a website is using. I know Google uses Thawte and PayPal uses Verisign but that is it. CAs just need to keep up with their security I suppose.

     

    reply to this | link to this | view in chronology ]

    •  
      identicon
      Anonymous Coward, Mar 25th, 2011 @ 2:01am

      Re:

      The 9 certificates that were issued were legitimate. Until they were revoked no one could have known. Once revoked, OCSP operating in your browser would take care of checking to see if they were on the revocation list. What I think you're referring to is how people react when they see a notice that the certificate of a website has expired or has been revoked. Do you ignore it?

       

      reply to this | link to this | view in chronology ]

      •  
        icon
        techinabox (profile), Mar 25th, 2011 @ 8:11am

        Re: Re:

        What I mean is that the Certs in question were from Comodo but Google uses Thawte Certs, Yahoo uses DigiCert Certs, etc. So while the Certs acquired from Comodo were "real" they were not legitimate.

         

        reply to this | link to this | view in chronology ]

  •  
    identicon
    GeneralFault, Mar 24th, 2011 @ 4:26pm

    Blacklist CA's

    Perhaps one way to solve the problem at least in the short-term is to start getting the word out about CA's that are untrustworthy due to unethical behavior (such as issuing fake certs for governments). Users have the option of removing these CA's from their local cert stores. Perhaps if someone gets ambitious, they could create a service to do this for the "average user". Perhaps we should push Google, Firefox, Microsoft, McAfee, AVG and other Browser, OS, anti-virus and security application developers to build such a service into their products. Let the "market" take care of the problem.

     

    reply to this | link to this | view in chronology ]

    •  
      identicon
      Anonymous Coward, Mar 24th, 2011 @ 5:18pm

      Re: Blacklist CA's

      Get me a list of untrustworthy CAs and I'll build an app that does it. Maybe Google will buy me and I'll be rich....that'd be nice.

       

      reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Mar 24th, 2011 @ 4:48pm

    There's no evidence implicating the Iranian government

    At least: not yet.

    Any hacker worthy of the title is quite capable of launching their attack from zombies located anywhere...and zombies are everywhere, not just on consumer networks, but on corporate, educational, and governmental networks.

    Some of the best discussion on this is happening on the NANOG list.

     

    reply to this | link to this | view in chronology ]

    •  
      icon
      The Devil's Coachman (profile), Mar 24th, 2011 @ 4:59pm

      Re: There's no evidence implicating the Iranian government

      Just the same, it's more expedient to blame them, bomb them, and bury them. Except for higher prices for pistachios, their demise will go largely unnoticed.

       

      reply to this | link to this | view in chronology ]

  •  
    icon
    Chris in Utah (profile), Mar 24th, 2011 @ 6:22pm

    Just downloaded a windows update about this yesterday. Funny that.

     

    reply to this | link to this | view in chronology ]

  •  
    icon
    Axel Simon (profile), Mar 24th, 2011 @ 7:13pm

    Monkey Sphere

    I'm surprised nobody's mentioned the Monkeysphere project in this discussion.

    There are two ways to set up a trust model from what I gather: either trust an authority, or use a web of trust.

    It appears the authority based model is not working at this point, so the alternative is the web of trust model.

    To quote the Monkeysphere page:
    The Monkeysphere project's goal is to extend OpenPGP's web of trust to new areas of the Internet to help us securely identify servers we connect to()
    http://web.monkeysphere.info/

    From that point, you can set different trust levels to different peers, the way you can in OpenPGP.

    Oh, and maybe worth noting, you can also delete Certificate Authorities in Firefox (and others I guess).

    Might make sense to only keep the ones you think *might* be doing their job of selling ones and zeros better than the others.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Mar 24th, 2011 @ 8:11pm

    Now we should probably hope that they don't block revokation URL and Microsoft's patch yesterday on "transparent proxy" level, or their "fake e-cert" will continue to work.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Mar 25th, 2011 @ 12:37am

    The twitter user @ioerror has created a project on github called crlwatch. Worth checking out.

     

    reply to this | link to this | view in chronology ]

    •  
      identicon
      Anonymous Coward, Mar 25th, 2011 @ 12:38am

      Response to: Anonymous Coward on Mar 25th, 2011 @ 12:37am

      Forgot to mention that @ioerror also works on Tor.

       

      reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This