Fake SSL certificates pirate Web sites

Fake SSL certificates pirate Web sites

Summary: It used to be you knew you could trust a Web site when your Web browser securely connects to it with a valid HTTPS connection. Now, that's trust has been shaken.


There's never much you could really trust in computer security, but you could usually put your faith in a Hypertext Transfer Protocol Secure (HTTPS) connection being secure. The combination of the Web's HTTP and security provided by the Transport Layer Security (TLS) or Secure Sockets Layer (SSL) protocols was a gold standard of Internet security. Oh well, it was nice while it lasted. Now we need to be wary of those as well thanks to DigiNotar, a Dutch Certificate Authority (CA), being cracked and then issuing fake SSL certificates.

Here's how this newest network security fiasco came about. DigiNotar was cracked on August 28th by a Farsi speaking cracker, probably from Iran. Once in, he was able  to issue public key certificates for numerous legitimate sites, such as Google and Microsoft to various malicious ISPs.

So, what did that mean for users? Say you were in Tehran and you wanted to check your Gmail account. If you log into your account, and your ISP has been corrupted or is in on the SSL certificate fraud, it would look like you have a normal secure connection to Gmail. Wrong.

According to Google what actually happened was that you've been caught in an SSL man-in-the-middle (MITM) attacks. Armed with the fake SSL certificate, the crackers--perhaps the Iranian government--could watch and read your e-mail traffic go back and forth between your computer and Google, and many other Web sites, services.

It works like this. Web servers and browsers rely on SSL or TLS to create an encrypted channel for private communications over the Internet. Each SSL Certificate consists of a public key and a private key. The public key is used to encrypt information and the private key is used to decipher it. When a Web browser points to a secured domain, an encrypted connection is established based on the type of SSL Certificate; the client Web browser; operating system; and Web server's capabilities.

Typically a HTTPS connection uses 128 to 256-bit encryption. While that's breakable, it's beyond the capabilities of most crackers. If someone gets a fraudulent SSL certificate, though, your traffic will go back and forth, apparently as normal, but actually every byte you send and receive using the fake certificate can be read by the man-in-the-middle cracker.

While some Web browsers, like Chrome, were still able to catch that there was something wrong and warned users that there was something fishy about their connection, others were not so lucky. By early on Sunday, though, Google, Mozilla and Microsoft had all caught on to what was going in and had banned the fake DigiNotar certificates in their browsers.

To make doubly sure, Microsoft today, September 6th, has banned the use of all SSL certificates from DigiNotar. While Microsoft has been able to make that stick with modern versions of Windows, it's still possible for Windows XP and Windows Server 2003 users to connect through a falsely secured connection. Microsoft states they'll be issuing a patch soon. In the meantime, if I were you, I'd use Google's Chrome Web browser and not use Windows Update until this problem is nailed down once and for all.

UPDATE September 7th.: Microsoft has issued its updated CA list for XP and 2003. Update your systems now.

This, let me point out, is not a Windows, Mac OS X, or Linux problem. It's not even a browser problem per se. It's a problem with a trusted Internet source being compromised and everyone else potentially paying the price. The problem behind the browser security problem is that it's now been shown that what had been a heretofore trustworthy CA can be hacked. For those of us who are seriously concerned about security, that means we can no longer assume that even a HTTPS connection is probably secure. Wonderful. Just wonderful.

Related Stories:

Google, Mozilla and Microsoft ban the DigiNotar Certificate Authority in their browsers

Facebook, Google, CIA, MI6 targeted in Dutch government certificate hack

Twitter adds SSL security

Are your search engine queries being hijacked?

We're a long, long way from securing the Web with SSL/TLS

Topics: Browser, Google, Microsoft, Networking, Piracy, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • The Internet has become the Wild West.

    Lawlessness is rampant.
    Bounty Hunters needed to round up these criminals and bring them into Justice.
    Dietrich T. Schmitz *Your
    • Would that include the 'criminals' behind Stuxnet?

      @Dietrich T. Schmitz * Your Linux Advocate Certificates stolen from JMicron and Realtek were used to sign the Stuxnet rootkit drivers. More here:


      Is the act of stealing digital certificates for nefarious purposes any more noble than hacking a CA and issuing fake certificates?

      When rewriting history, one can become the 'good guy' simply through the judicious choice of time=0. The above link was posted in July, 2010.
      Rabid Howler Monkey
      • RE: Fake SSL certificates pirate Web sites

        @Rabid Howler Monkey You mean is the act of stealing digital certificates to save the world from nuclear armageddon any more noble than hacking a CA and issuing fake certificates? In that case, I'd say heck yes.
      • RE: Fake SSL certificates pirate Web sites

        @jgm@ Two philosophical principles that have failed the U.S. gov't miserably, time after time (lookup 'blowback'):

        1. The end justifies the means
        2. The enemy of your enemy is your friend

        Guess which one applies to the stolen digital certificates?

        P.S. Wrt a potential nuclear catastrophe, *nothing* comes close to Pakistan.
        Rabid Howler Monkey
      • RE: Fake SSL certificates pirate Web sites

        @Rabid Howler Monkey: Pakistan is a worse threat than Iran? That doesn't mean Iran isn't a threat.

        If Stuxnet is the effort of a western nation, maybe its use was an attempt to do an inevitable battle without collateral damage which. Sounds reasonable to me. The other options are to wait for 100% certain evidence that the enemy did attack before we respond (wait till when we are dead), bomb Tehran as if it was London in WWII.
        Dave Keays
    • RE: Fake SSL certificates pirate Web sites

      @Dietrich T. Schmitz * Your Linux Advocate

      A lot of good that will do when some of these individuals work for governments, i.e., Iran's, where they are "the law".
  • RE: Fake SSL certificates pirate Web sites

    Of course for such a scheme to be successfull, more needs to be done than just presenting users with a false certificate. For instance, to lure someone to a fake google or Microsoft site, you need to also present the user with spoofed dns records, to steer them to the fake website in the first place.

    Bythe way, the hack occurred already in July, and I am at a loss how chrome would be able to warn the user, especially considering that some of the forged certificates didn't contain any revocation information.
    • RE: Fake SSL certificates pirate Web sites

      @sjaak327 Not true. Any link between you and google can insert the fake certificate. For example, your ISP or any other router in between you and the real google can be the man in the middle. They serve up the fake certificate and relay real information between google and you while making a copy for them self. Additionally, they could insert the fake and redirect you to another site at the same time, but it appears that what they are really looking to do is convince you that your connection is a secure one, send you to the site you are going to and snoop all of your data. This is also a way that they can log your username and password for their own use.
      • RE: Fake SSL certificates pirate Web sites

        How do you determine the authenticity of a certificate/secure connection and what can be done to avoid personal info, such as username and password, getting into the wrong hands?
  • RE: Fake SSL certificates pirate Web sites

    I just got a $829.99 iPad2 for only $103.37 and my mom got a $1499.99 HDTV for only $251.92, they are both coming with USPS tomorrow. I would be an idiot to ever pay full retail prices at places like Walmart or Bestbuy. I sold a 37" HDTV to my boss for $600 that I only paid $78.24 for. I use http://bit.ly/grab1002
    • RE: Fake SSL certificates pirate Web sites

      @charlesreese SPAM
      • RE: Fake SSL certificates pirate Web sites

        @Quebec99 - he probably came here to see how he could steal certs for himself!
    • RE: Fake SSL certificates pirate Web sites

    • RE: Fake SSL certificates pirate Web sites

      . . . and they are selling fake SSL certificates???
  • RE: Fake SSL certificates pirate Web sites

    I used to think Microsoft's advice to shut off your Corporate CA server and "put it in a closet" until you need to create a new cert was overprotective to the point of being paranoid, but these days, that's pretty good advice...
  • What is your advice (if any)...

    ...for users?
    • RE: Fake SSL certificates pirate Web sites

      @GrizzledGeezer Keep your software updated. For Android users with root there are CACertMan:
      It will let you remove CA:s that you do not trust. Diginotar and CNNIC (chinese) are often recommended to remove (if they're there). You may want to remove other ones too.
      Removing too many will however lead to warnings most of the times you connect to anything over SSL while not making you much more secure.
    • RE: Fake SSL certificates pirate Web sites

      Steven J. Vaughan-Nichols advice to "not use Windows Update" strikes me as reckless and unfathomable. I personably will choose to Microsoft's advice and install the latest security update that they published for this very issue. Information here: http://support.microsoft.com/kb/2607712
  • RE: Fake SSL certificates pirate Web sites

    Why do you say "not use Windows Update"? Microsoft released a patch yesterday. Why are you telling people not to install it?

  • Thanks

    Thank you for using the correct term for the criminal "cracker" instead of "hacker." Most people don't catch the distinction but there is one.