Fraudulent Google certificate points to Internet attack

screenshot 屏幕截图
reportedly 报道 据说 传说
Dutch荷兰人 荷兰的The British and Dutch belong to the same race.
issued 发布 发行 发行日期 release
re-direct 重定向
Iran伊朗
legitimate合情合理的 合法的
alibi不在现场的证据 不在犯罪现场的证人
accessible容易获取的 容易进入的
comodo自在的 舒服的 "comodo hacker"
verified已证实 确认
fraudulent欺骗的 不诚实 a fraudulent business deal
mitigate减轻 缓和Governments should endeavour to mitigate distress
endeavour尽力 竭力 distress悲痛 贫穷 危机
provided假如 如果 只有...才 provide为提供
blocked封锁 闭锁 闭塞 阻塞
measures 尺寸 度量单位 程度 限度
investigate调查 审查The police are investigating the murder.
revoke撤销 废除
preferences参数选择 首选项
Netherlands荷兰
Representatives代表 代理 典型的 presentative抽象的 表象的
seeking hunt search  quest explore
automated自动化的
spoof spoofed 哄骗 戏弄 讽刺
acquired获取 得到
Iranian patriot 伊朗爱国者
amiss出了差错 有毛病
rogue流氓 无赖 离群的野兽
cert必然发生的 sure to happen
specific evidence明确的证明
underlying problem根本基础的问题
individual Web surfers个人web冲浪
Convergence集中 收敛 集合
illustrate 给..插图 说明 表明
balloon气球
approximately 近似的 大概
procedures程序 手续 传统的做法
mechanisms机制
repressive 抑制的 压制 残暴
regimes政治制度 政权 政体
Under the new regime in our office, no one is allowed to leave early.
bent倾向 爱好 荒地
surveillance监视 盯
or repressive regimes bent on surveillance.
tremendous 极大的 巨大的tremendous responsibility
whammy剧烈的打击 晦气
compromise折中 危害Such conduct will compromise your reputation
within在里面 在...内
mitigation缓解 减轻 平静

This screenshot shows the warning the user reportedly got when attempting to log in to Gmail.

A Dutch company appears to have issued a digital certificate for Google.com to someone other than Google, who may be using it to try to re-direct traffic of users based in Iran.

Yesterday, someone reported on a Google support site that when attempting to log in to Gmail the browser issued a warning for the digital certificate used as proof that the site is legitimate, according to this thread on a Google support forum site.

"Today, when I tried to login to my Gmail account I saw a certificate warning in Chrome," someone using the screen name "alibo" wrote. "I think my ISP or my government did this attack (because I live in Iran and you may hear something about the story of Comodo hacker!)" Alibo then posted a screenshot and the text of the certificate. The screenshot page was not accessible.

In this case the browser of the person reporting the problem warned that there was a problem with the digital certificate. However, it's unclear what triggered the warning and other browsers may not. In that event, a user could end up on a site that purports to be google.com but isn't.

CNET verified that the digital certificate is fraudulent. This Pastebin post details how to verify that a certificate is real and notes that it was issued in July. More information on how to mitigate the risk from the DigiNotar certificate is provided on this Facebook page from Ryan Hurst, manager of advertising security engineering at Microsoft.

A Google spokesman provided CNET with this statement: "A Chrome security feature warned the user of the invalid certificate and blocked them from visiting the attacker's site. We're pleased that the security measures in Chrome protected the user and brought this attack to the public's attention. While we investigate, we plan to block any sites whose certificates were signed by DigiNotar."

Mozilla said in a blog post that it was "Because the extent of the mis-issuance is not clear, we are releasing new versions of Firefox ... shortly that will revoke trust in the DigiNotar root and protect users from this attack. We encourage all users to keep their software up-to-date by regularly applying security updates. Users can also manually disable the DigiNotar root through the Firefox preferences."

The certificate was issued by DigiNotar, based in the Netherlands. Representatives from the company did not immediately respond to an e-mail seeking comment today and an automated message said the offices were closed for the night and offered no voice-mail option. A phone call and e-mail to Vasco Data Security, parent company of DigiNotar, were not immediately returned.

The situation is similar to one that happened in March in which spoofed certificates were found involving Google, Yahoo, Microsoft, and other major sites and they used Internet Protocol addresses in Iran. In that case, the fraudulent digital certificates were acquired through reseller partners of certificate authority Comodo and a 21-year-old Iranian patriot took credit for the attack, saying he was protesting U.S. foreign policy.

Moxie Marlinspike, chief technology officer of mobile security firm Whisper Systems and an expert on Internet authentication infrastructure, warned against jumping to conclusions about who is behind the attack.

"Clearly something is amiss. There's a rogue cert for all of Google services in the wild," he told CNET. "Of course many people are quick to claim that the state of Iran is responsible for all this but I think it's probably too soon to draw that conclusion. There doesn't seem to be any specific evidence."

These situations happen all the time, and rather than point fingers, the industry should fix the underlying problem, he said. In the meantime, individual Web surfers can protect themselves by using a Firefox plug-in Marlinspike developed called Convergence . "My hope is that this will be integrated into Web browsers themselves" in the future, he said.

These attacks illustrate a fundamental weakness with the current Web site authentication system in which third parties issue certificates that prove that a Web site is legitimate when making an "https://" connection. The list of certificate issuers has ballooned over the years to approximately 650 organizations, which may not always follow the strictest security procedures. And each one has a copy of the Web's master keys. There is no automated process to revoke fraudulent certificates, nor is there a public list of certificates that companies like Comodo have issued, or even which of its resellers or partners have been given a duplicate set of the master keys. And there are no mechanisms to prevent fraudulent certificates for Yahoo Mail or Gmail from being issued by compromised companies, or repressive regimes bent on surveillance.

Today's system gives browser makers tremendous responsibility. Any list of so-called certificate authorities they include will be trusted by billions of Web browsers around the world, unless users take the time to change the settings.

"I expect this type of attack to become somewhat commonplace in time," said Roel Schouwenberg, senior researcher at Kaspersky Lab. "And in this case we may be looking at a double whammy - not only does SSL suffer yet another blow, we may also be looking at a serious compromise within Vasco. The latter could have a very significant impact."

Update at 3:36 p.m. PT with Mozilla comment and mitigation information from Microsoft representative 3:27 p.m. PT with comment from Google, Marlinspike and Schouwenberg and 1:45 p.m. PT : Added details about the browser warning, and about CNET attempts to reach Vasco Data Security. and

CNET's Declan McCullagh contributed to this report.

Read more: http://news.cnet.com/8301-27080_3-20098894-245/fraudulent-google-certificate-points-to-internet-attack/#ixzz1WforaNDt