False SSL certificates issued for spy agencies

Summary:Fraudulent certificates for a number of organisations, including MI6, the CIA and Mossad were issued following the hack on Dutch certification company DigiNotar

The UK's Secret Intelligence Service, the CIA and Mossad were among organisations spoofed after a hack on Dutch certificate authority DigiNotar.

Diginotar website

Around 531 organisations were targeted by falsely issued SSL certificates, including the UK's Secret Intelligence Service, after a hack on Dutch certificate authority DigiNotar.

The Tor project released a Dutch government-compiled list of bad DigiNotar-related certificates in a blog post on Sunday. A number of falsely issued certificates were created for MI6, while organisations including Google, Facebook, Twitter, Skype and the Tor project itself were also targeted. In all, 531 organisations were affected, Jacob Appelbaum, one of the core Tor project developers, said in the blog post.

"The most egregious certs issued were for *.*.com and *.*.org while certificates for Windows Update and certificates for other hosts are of limited harm by comparison," Appelbaum said.

Microsoft said on Sunday that Windows Update users were not at risk of exploitation from the windowsupdate.com certificate, as the domain was no longer in use.

Google warned on 29 August that its Iranian users were being redirected to seemingly legitimate Google web services pages, which used a fraudulently generated SSL certificate to pretend that the pages were part of Google.com.

The attack appeared to have been used to spy on Iranian web users on a grand scale, security company Trend Micro said in a blog post on Monday, particularly those using Gmail.

"We found that internet users in more than 40 different networks of ISPs and universities in Iran were confronted with rogue SSL certificates issued by DigiNotar," Trend Micro senior threat researcher Feike Hacquebord said in the blog post. "Even worse: we found evidence that some Iranians who used software designed to circumvent censorship and snooping on traffic were not protected against the massive man-in-the-middle attack."

Trend Micro analysed customer traffic, and found that the SSL validation site validation.diginotar.nl was "mostly loaded by Dutch and Iranian Internet users until August 30, 2011", when the false certificates were publicised. In addition, Iranians using anti-censorship technology from an unnamed Californian organisation that relies on proxy nodes were not protected, said Hacquebord.

Revoked trust

The Dutch government has revoked trust in DigiNotar certificates, a government technician told ZDNet UK on Monday.

The Dutch government used to recognise two types of DigiNotar certificates until Saturday — general certificates issued to business, and certificates the government used in its own public key infrastructure (PKI) called 'PKIoverheid'. The technician advised people to be careful of using the Dutch government PKI until the government transfers to a different PKI provider.

"It's not safe to use [the PKI]," said the technician. "You need to be careful of government sites with a yellow lock in the URL bar, especially if the sites say they will transfer you to another website."

The Dutch Computer Emergency Response Team (Cert) said that an audit by security company Fox-IT on Friday had found out that 'PKI overheid' could no longer be trusted (Dutch).

The Dutch minister of internal affairs announced the government was revoking DigiNotar certificates at 1.15am on Saturday morning, according to security company Kaspersky, which said the compromise could be more important than Stuxnet.

"The Dutch government is launching a formal investigation to find out if the Iranian government was behind the attack," said Kaspersky Lab security expert Roel Schouwenberg.

Mozilla developer Gervase Markham said that the Fox-IT report should be ready for release soon, and that Iranian users should update their Firefox browsers, in a blog post on Monday.

The Dutch government announced it had taken over operational management of DigiNotar certificates in a release on Monday.


Get the latest technology news and analysis, blogs and reviews delivered directly to your inbox with ZDNet UK's newsletters.

Topics: Security

About

Tom is a technology reporter for ZDNet.com, writing about all manner of security and open-source issues.Tom had various jobs after leaving university, including working for a company that hired out computers as props for films and television, and a role turning the entire back catalogue of a publisher into e-books.Tom eventually found tha... Full Bio

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.