An update on attempted man-in-the-middle attacks

Monday, August 29, 2011 8:59 PM



Today we received reports of attempted SSL man-in-the-middle (MITM) attacks against Google users, whereby someone tried to get between them and encrypted Google services. The people affected were primarily located in Iran. The attacker used a fraudulent SSL certificate issued by DigiNotar, a root certificate authority that should not issue certificates for Google (and has since revoked it).

Google Chrome users were protected from this attack because Chrome was able to detect the fraudulent certificate.

To further protect the safety and privacy of our users, we plan to disable the DigiNotar certificate authority in Chrome while investigations continue. Mozilla also moved quickly to protect its users. This means that Chrome and Firefox users will receive alerts if they try to visit websites that use DigiNotar certificates. Microsoft also has taken prompt action.

To help deter unwanted surveillance, we recommend that users, especially those in Iran, keep their web browsers and operating systems up to date and pay attention to web browser security warnings.

Update Aug 30: Added information about Microsoft's response.

Update Sept 3: Our top priority is to protect the privacy and security of our users. Based on the findings and decision of the Dutch government, as well as conversations with other browser makers, we have decided to reject all of the Certificate Authorities operated by DigiNotar. We encourage DigiNotar to provide a complete analysis of the situation.
The comments you read here belong only to the person who posted them. We do, however, reserve the right to remove off-topic comments.

25 comments:

Paul van Brouwershaven said...

Does this also include the "DigiNotar PKIoverheid CA Overheid en Bedrijven" root which is maintained by the same company?

Hamed said...

And how about the Google Talk? Despite Chrome and Firefox, it didn't give any alert while signing in my account. Unfortunately, Google Talk hasn't been updated for a long time!

ifhayati said...

What can we do?

پدرام said...

Unfortunately we can not use 2-step verification in Iran.Please make available.

Galaxy said...

What about users who are using outlook to check their GMail box?

zeewox said...

Could you explain how Chrome was able to detect the fraudulent certificate ?

ayeomans said...

I've been using Firefox "Certificate Patrol" extension, and for some weeks I've noticed a high number of warnings of changed certificates coming from Google sites. I've no particular reason to think these were MITM attacks, but at the time suspected it depended on which load-balanced server the connection was made to.

The current mix of wildcard and specific certificates across several domains that Google uses makes it less easy to spot changed certificates.

Do you have any policies about keeping server certs globally synchronised to help in such MITM detection?

Julio Belinchón Hernández said...

Pienso que con la suite de Navegadores Netscape 9, SeaMonkey 4.3 o Mozilla 8.0 tambien se encuentran protegidos.

Julio Belinchón Hernández.

MMMMMM said...

Opera users are also automatically protected.

http://my.opera.com/securitygroup/blog/2011/08/30/when-certificate-authorities-are-hacked-2

mim said...

it's Irans Governement, want to spy ppl g-mail account ...
please do something against them, it's truly illegal and irespected action :(

Mehrdad said...

Hi
I'm a Iranian User
Really thanks for warning.
This problem was prevalent in recent days.
many of my friends said me it happened for them.

AliReza Yazdanpanah said...

what are you talking about ?
its just end user that is under pressure every time.from Both Government and Google,
Google also blocked lots of its service from Iran ,
it blocked google Code,Google API and lots of other service,
why ?
we have to use tool provided by US Government in order to prevent its sanction on internet.
I mean that US Government put sanction on Internet access on some site,and it self provide us lots of tools to prevent this sanction.
tools like VPN,Your Freedom,CProxy,Tor,Radio Farda and lots of other tools that US Gov Support them.

ksec said...

"Google Chrome users were protected from this attack because Chrome was able to detect the fraudulent certificate."..."In addition in Chromium 13, only a very small subset of CAs have the authority to vouch for Gmail (and the Google Accounts login page)."

Could you give a link to the chromium code where this subset of CAs exists and the check occurs?

Thanks!

Madis said...

It would be interesting to know the background and reasons of the attack.

Alireza said...

Only if we were allowed to update chrome in Iran!

Amir said...

It's ironic that you cannot download and install Chrome in Iran because of US export laws. If you really care about protecting your Iranian users why don't you make Chrome available to them somehow?
And why should installing a web browser be included in sanctions? This is basically a sanction against Iranian people not Iranian regime.

RisingPhoenix-Me said...

Commenting From Iran.
Was the attack confirmed successful?
This blog was govermentally filtered in iran since 5 hours ago.for me, it is enough proof to see this as a iran's DAMNED government action spending money on hacking and cyber-violants except of improving the bandwidth and internet.
If you remember some months ago, there was a SSL Stealing of Comodo which IP was compromised as an Iranian Computer too.
_______________
P.S. to iranians
Mitonid az server haye dg vase download google chrome estefade konid. faghat ye search konid baraye downloadesh, server dg e ro peyda konid.

booniffle said...

@Amir: I believe that's because even when free Google Chrome is still a commercial product and therefore bound to the US laws forbidding commerce with Iran.

Aiden Bram said...

Would that be why I've been getting the icon in Chrome that some elements in gmail were insecure? What kind of information could they feasibly have?

Amir said...

@booniffle: Yes, I agree. This is not Google's fault as they are trying to conform with US laws, rather I mean that some of these sanction laws are really stupid and even against what they were meant for in the first place. For example, every body knows that Iranian government can get their hands on these "sensitive" software products through different channels with no difficulty, rather the burden, and now insecurity, is what is left for Iranian people, especially those who are not so tech-savvy.
I wish some action would be taken by US government to review and revise some of their sanction laws.

ViR-EnG said...

the 2-Step Verification is Not Support in IRAN , and IRAN Government Can Easily Spy Iranian ppl's Gmail Account . Please Support it for IRANian ppl

Neil said...

If you cannot download Chrome in your country due to export restrictions, or you need a US-based IP for other reasons, try a free VPN service such as (for example) www.raptorvpn.com .

AKG said...

To improve the Iranian users security I think Google must enable the 2-step verification for Iran.

If you think due to US sanctions it should be disable then why the Google SMS service is available in recovering password option?

I always believed in Google privacy policies, the privacy of Iranian users must be intact by all means.

Gary H. said...

What about the Google browser on Android? Is there a way we can disable the DigiNotar certificate? Or will an updated app be published?

adamrights said...

I would assume Iranians can use Chromium though since that is an open source project that is not a commercial product. Is this correct?