August 29, 2011

An update on attempted man-in-the-middle attacks



Today we received reports of attempted SSL man-in-the-middle (MITM) attacks against Google users, whereby someone tried to get between them and encrypted Google services. The people affected were primarily located in Iran. The attacker used a fraudulent SSL certificate issued by DigiNotar, a root certificate authority that should not issue certificates for Google (and has since revoked it).

Google Chrome users were protected from this attack because Chrome was able to detect the fraudulent certificate.

To further protect the safety and privacy of our users, we plan to disable the DigiNotar certificate authority in Chrome while investigations continue. Mozilla also moved quickly to protect its users. This means that Chrome and Firefox users will receive alerts if they try to visit websites that use DigiNotar certificates. Microsoft also has taken prompt action.

To help deter unwanted surveillance, we recommend that users, especially those in Iran, keep their web browsers and operating systems up to date and pay attention to web browser security warnings.

Update Aug 30: Added information about Microsoft's response.

Update Sept 3: Our top priority is to protect the privacy and security of our users. Based on the findings and decision of the Dutch government, as well as conversations with other browser makers, we have decided to reject all of the Certificate Authorities operated by DigiNotar. We encourage DigiNotar to provide a complete analysis of the situation.

26 comments:

  1. Does this also include the "DigiNotar PKIoverheid CA Overheid en Bedrijven" root which is maintained by the same company?

    ReplyDelete
  2. And how about the Google Talk? Despite Chrome and Firefox, it didn't give any alert while signing in my account. Unfortunately, Google Talk hasn't been updated for a long time!

    ReplyDelete
  3. Unfortunately we can not use 2-step verification in Iran.Please make available.

    ReplyDelete
  4. What about users who are using outlook to check their GMail box?

    ReplyDelete
  5. Could you explain how Chrome was able to detect the fraudulent certificate ?

    ReplyDelete
  6. I've been using Firefox "Certificate Patrol" extension, and for some weeks I've noticed a high number of warnings of changed certificates coming from Google sites. I've no particular reason to think these were MITM attacks, but at the time suspected it depended on which load-balanced server the connection was made to.

    The current mix of wildcard and specific certificates across several domains that Google uses makes it less easy to spot changed certificates.

    Do you have any policies about keeping server certs globally synchronised to help in such MITM detection?

    ReplyDelete
  7. Pienso que con la suite de Navegadores Netscape 9, SeaMonkey 4.3 o Mozilla 8.0 tambien se encuentran protegidos.

    Julio Belinchón Hernández.

    ReplyDelete
  8. Opera users are also automatically protected.

    http://my.opera.com/securitygroup/blog/2011/08/30/when-certificate-authorities-are-hacked-2

    ReplyDelete
  9. it's Irans Governement, want to spy ppl g-mail account ...
    please do something against them, it's truly illegal and irespected action :(

    ReplyDelete
  10. Hi
    I'm a Iranian User
    Really thanks for warning.
    This problem was prevalent in recent days.
    many of my friends said me it happened for them.

    ReplyDelete
  11. what are you talking about ?
    its just end user that is under pressure every time.from Both Government and Google,
    Google also blocked lots of its service from Iran ,
    it blocked google Code,Google API and lots of other service,
    why ?
    we have to use tool provided by US Government in order to prevent its sanction on internet.
    I mean that US Government put sanction on Internet access on some site,and it self provide us lots of tools to prevent this sanction.
    tools like VPN,Your Freedom,CProxy,Tor,Radio Farda and lots of other tools that US Gov Support them.

    ReplyDelete
  12. "Google Chrome users were protected from this attack because Chrome was able to detect the fraudulent certificate."..."In addition in Chromium 13, only a very small subset of CAs have the authority to vouch for Gmail (and the Google Accounts login page)."

    Could you give a link to the chromium code where this subset of CAs exists and the check occurs?

    Thanks!

    ReplyDelete
  13. It would be interesting to know the background and reasons of the attack.

    ReplyDelete
  14. Only if we were allowed to update chrome in Iran!

    ReplyDelete
  15. It's ironic that you cannot download and install Chrome in Iran because of US export laws. If you really care about protecting your Iranian users why don't you make Chrome available to them somehow?
    And why should installing a web browser be included in sanctions? This is basically a sanction against Iranian people not Iranian regime.

    ReplyDelete
  16. Commenting From Iran.
    Was the attack confirmed successful?
    This blog was govermentally filtered in iran since 5 hours ago.for me, it is enough proof to see this as a iran's DAMNED government action spending money on hacking and cyber-violants except of improving the bandwidth and internet.
    If you remember some months ago, there was a SSL Stealing of Comodo which IP was compromised as an Iranian Computer too.
    _______________
    P.S. to iranians
    Mitonid az server haye dg vase download google chrome estefade konid. faghat ye search konid baraye downloadesh, server dg e ro peyda konid.

    ReplyDelete
  17. @Amir: I believe that's because even when free Google Chrome is still a commercial product and therefore bound to the US laws forbidding commerce with Iran.

    ReplyDelete
  18. Would that be why I've been getting the icon in Chrome that some elements in gmail were insecure? What kind of information could they feasibly have?

    ReplyDelete
  19. @booniffle: Yes, I agree. This is not Google's fault as they are trying to conform with US laws, rather I mean that some of these sanction laws are really stupid and even against what they were meant for in the first place. For example, every body knows that Iranian government can get their hands on these "sensitive" software products through different channels with no difficulty, rather the burden, and now insecurity, is what is left for Iranian people, especially those who are not so tech-savvy.
    I wish some action would be taken by US government to review and revise some of their sanction laws.

    ReplyDelete
  20. the 2-Step Verification is Not Support in IRAN , and IRAN Government Can Easily Spy Iranian ppl's Gmail Account . Please Support it for IRANian ppl

    ReplyDelete
  21. If you cannot download Chrome in your country due to export restrictions, or you need a US-based IP for other reasons, try a free VPN service such as (for example) www.raptorvpn.com .

    ReplyDelete
  22. To improve the Iranian users security I think Google must enable the 2-step verification for Iran.

    If you think due to US sanctions it should be disable then why the Google SMS service is available in recovering password option?

    I always believed in Google privacy policies, the privacy of Iranian users must be intact by all means.

    ReplyDelete
  23. What about the Google browser on Android? Is there a way we can disable the DigiNotar certificate? Or will an updated app be published?

    ReplyDelete
  24. I would assume Iranians can use Chromium though since that is an open source project that is not a commercial product. Is this correct?

    ReplyDelete
  25. عندي مشكلها بلموقع البريدالكتروني بتهية ولكن كيف فانا ماريد افقد الموقع حقي والبيانات+الاصدقاء بجوجل + ولا اعرف كيف وفية مشكلة بتزامن وتهيات البريد الكتروني فهل في لاصلاح الموقع مع التزامن ومشكورين لكي لا افقد شئ من الموقع حقي حتي الرسايل البريد الكتروني برضو مشكلة ولا اعرف كيف

    ReplyDelete

You are welcome to contribute comments, but they should be relevant to the conversation. We reserve the right to remove off-topic remarks in the interest of keeping the conversation focused and engaging. Shameless self-promotion is well, shameless, and will get canned.

Note: Only a member of this blog may post a comment.