Iranians faced mass man-in-the-middle on August 28

Danger to Iranians clearer as DigiNotar begs for restored trust.

On 28 August Iranian citizens were subject to a far reaching cyber snooping operation made possible by an attack on Dutch certificate authority DigiNotar.

Researchers at vendor Trend Micro on Monday backed up earlier claims by Google that Iranian internet users were the main target of “man-in-the-middle” attacks after DigiNotar issued a fraudulent certificate.

The Dutch Government revealed on Saturday that a total of 531 fraudulent certificates were issued by DigiNotar compared to the “few dozen” the now blacklisted certificate authority (CA) originally claimed.

While there remains some doubt over whether the Iranian Government was really behind the attacks, there was no doubt that Iranian citizens were the primary targets in the days leading to DigiNotar’s disclosure, according to Trend Micro researcher Feike Hacquebord.

Hacquebord analysed the domain “”, a site typically used by browsers in Holland to check the authenticity of DigiNotar-issued SSL certificates.

The site recorded a huge spike in traffic from Iran on 28 August, which all but disappeared by August 30, the day after Google, Microsoft and Mozilla blacklisted the majority of the firm’s certificates.

“These aggregated statistics from Trend Micro Smart Protection Network clearly indicates that Iranian Internet users were exposed to a large scale man-in-the-middle attack, where SSL encrypted traffic can be decrypted by a third party,” he said.

Security and privacy researcher Christopher Soghoian believed the trigger for Iran’s attack on a foreign CA was Google’s decision in 2010 to make Gmail HTTPS by default.

“Google turned on HTTPS by default for Gmail. Iran gov could no longer sniff the wire. Iran has no domestic CAs, so it hacked foreign CAs,” he said in a Twitter post Monday. 

DigiNotar also revealed it had invited Dutch security firm FOX-IT to report on incident as part of its bid to regain community trust. It has since urged Iranians to take precautions. 

“It is possible that the results of the hack are used for internal Iranian politic activities in order to thwart the local democratic movements,” it said.

Upon reading the report, Mozilla developer Gervase Markham urged all Iranians to update their browsers, invalidate any captured cookies by logging out of back into every active email and social media service, and change passwords.

The fraudulent certificates would have been highly prized by Iranian authorities due to all web traffic being routed through government approved proxy servers, according to fellow Trend Micro researcher Rik Ferguson.

“In Iran, all web traffic must pass through state approved proxies, the perfect man in the middle. In this scenario, the “benefits” of owning fraudulent certificates are clear. All encrypted traffic for affected destinations can now be decrypted at will and the end-user will be entirely unaware.”

Separately, Microsoft has warned that Internet Explorer users on Windows Vista or later who used a DigiNotar certificate before August 29, could be vulnerable until September 5 because the browser may have cached DigiNotar as a trusted root CA.

Kaspersky Lab researcher Roel Schouwenberg believed the attack had much larger implications than Stuxnet, the virus believed to have been devised to destroy key parts of Iran’s nuclear program.

“The attack on Diginotar doesn't rival Stuxnet in terms of sophistication or coordination. However, the consequences of the attack on Diginotar will far outweigh those of Stuxnet. The attack on Diginotar will put cyberwar on or near the top of the political agenda of Western governments,” he said.

While DigiNotar has been widely criticised for its lack of transparency and late disclosure, it still hopes to regain community trust.

“We will do anything to reinstate the trust in DigiNotar and to migrate all our customers to a new, highly secure infrastructure,” the firm said in its first update since admitting the breach.

For more articles by this author:

Mozilla blocks Dutch Govt DigiNotar SSL certificates

Report: Yahoo, Tor, Mozilla, WordPress also hit by DigiNotar hack

Ex-Anon: Good liars undermine information security

Join the CSO newsletter!

Error: Please check your email address.

Tags fraudulent certificatesDigiNotarcybercrimecyberwarmozillaYahooTrend Micro Smart ProtectionNetworkGoogleMicrosofttrend microsecurityDutch GovernmentSSL certificate

More about CA TechnologiesetworkGoogleKasperskyKasperskyMicrosoftMozillaSmartTrend Micro AustraliaYahoo

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Liam Tung

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts