On 28 August Iranian citizens were subject to a far reaching cyber snooping operation made possible by an attack on Dutch certificate authority DigiNotar.
Researchers at vendor Trend Micro on Monday backed up earlier claims by Google that Iranian internet users were the main target of “man-in-the-middle” attacks after DigiNotar issued a fraudulent Google.com certificate.
The Dutch Government revealed on Saturday that a total of 531 fraudulent certificates were issued by DigiNotar compared to the “few dozen” the now blacklisted certificate authority (CA) originally claimed.
While there remains some doubt over whether the Iranian Government was really behind the attacks, there was no doubt that Iranian citizens were the primary targets in the days leading to DigiNotar’s disclosure, according to Trend Micro researcher Feike Hacquebord.
Hacquebord analysed the domain “validation.diginotar.nl”, a site typically used by browsers in Holland to check the authenticity of DigiNotar-issued SSL certificates.
The site recorded a huge spike in traffic from Iran on 28 August, which all but disappeared by August 30, the day after Google, Microsoft and Mozilla blacklisted the majority of the firm’s certificates.
“These aggregated statistics from Trend Micro Smart Protection Network clearly indicates that Iranian Internet users were exposed to a large scale man-in-the-middle attack, where SSL encrypted traffic can be decrypted by a third party,” he said.
Security and privacy researcher Christopher Soghoian believed the trigger for Iran’s attack on a foreign CA was Google’s decision in 2010 to make Gmail HTTPS by default.
“Google turned on HTTPS by default for Gmail. Iran gov could no longer sniff the wire. Iran has no domestic CAs, so it hacked foreign CAs,” he said in a Twitter post Monday.
DigiNotar also revealed it had invited Dutch security firm FOX-IT to report on incident as part of its bid to regain community trust. It has since urged Iranians to take precautions.
“It is possible that the results of the hack are used for internal Iranian politic activities in order to thwart the local democratic movements,” it said.
Upon reading the report, Mozilla developer Gervase Markham urged all Iranians to update their browsers, invalidate any captured cookies by logging out of back into every active email and social media service, and change passwords.
The fraudulent certificates would have been highly prized by Iranian authorities due to all web traffic being routed through government approved proxy servers, according to fellow Trend Micro researcher Rik Ferguson.
“In Iran, all web traffic must pass through state approved proxies, the perfect man in the middle. In this scenario, the “benefits” of owning fraudulent certificates are clear. All encrypted traffic for affected destinations can now be decrypted at will and the end-user will be entirely unaware.”
Separately, Microsoft has warned that Internet Explorer users on Windows Vista or later who used a DigiNotar certificate before August 29, could be vulnerable until September 5 because the browser may have cached DigiNotar as a trusted root CA.
Kaspersky Lab researcher Roel Schouwenberg believed the attack had much larger implications than Stuxnet, the virus believed to have been devised to destroy key parts of Iran’s nuclear program.
“The attack on Diginotar doesn't rival Stuxnet in terms of sophistication or coordination. However, the consequences of the attack on Diginotar will far outweigh those of Stuxnet. The attack on Diginotar will put cyberwar on or near the top of the political agenda of Western governments,” he said.
While DigiNotar has been widely criticised for its lack of transparency and late disclosure, it still hopes to regain community trust.
“We will do anything to reinstate the trust in DigiNotar and to migrate all our customers to a new, highly secure infrastructure,” the firm said in its first update since admitting the breach.
For more articles by this author: