Google.com spoof triggers scramble to clean up

Google.com spoof triggers scramble to clean up

Summary: Google, Mozilla and Microsoft have rushed to strengthen protections against an attack that used a fraudulent SSL certificate to fool people into thinking they were using Google.com

SHARE:
TOPICS: Security
0

Google, Microsoft and Mozilla have jumped to shore up defences against an attack that used a fraudulent digital certificate to fool people into handing information over to spoofed Google.com services.

After being alerted by users, Google warned on Monday that intruders had tried to get between Iranian web users and encrypted Google services using a man-in-the-middle attack. The attack could have put users' sensitive information, such as login credentials, at risk.

The attack attempted to redirect people to a seemingly legitimate Google services page, which used a fraudulently generated SSL certificate to guarantee that it was part of Google.com. For example, a user could have thought they were writing a Gmail message, when in fact the information would have been captured by the attacker.

"The people affected were primarily located in Iran," Heather Adkins, information security manager at Google, said in a blog post. "The attacker used a fraudulent SSL certificate issued by DigiNotar, a root certificate authority that should not issue certificates for Google (and has since revoked it)."

In response, web companies scrambled to mitigate the danger to their users from the attack. On Monday, Mozilla updated Firefox for Desktop, Thunderbird and SeaMonkey to revoke the fraudulently issued certificate, while Microsoft said websites with certificates issued by DigiNotar would not be trusted by Windows Vista and later versions of the operating system.

In addition, Google blocked 247 certificates in the Chromium source code, which security company Sophos suggested were likely to have been linked to the attack.

DigiNotar hack

Vasco, the parent company of DigiNotar, put the problem down to a hack of the Dutch certificate authority on 19 July. It said on Tuesday the hackers had fraudulently issued certificates for a number of domains, including Google.com. The fraud also covered Extended Validation SSL (EVSSL) certificates, which have more stringent issuing guidelines.

Read this

Ripe NCC introduces IP certification

Organisations will be able to get certificates for IP address blocks, which Ripe NCC says will cut down on incidents where internet traffic is badly routed around the world

Read more+

DigiNotar revoked the certificates when it found out about the attack, but did not revoke the particular certificate for Google.com. The company had not responded to a request for comment at the time of writing.

The Dutch company's portal has been hacked by a number of groups, including people claiming to be Iranian, according to F-Secure's chief research officer Mikko Hypponen.

"Didn't DigiNotar think it's a tad weird that Google would suddenly renew their SSL certificate and decide to do it with a mid-sized Dutch [certificate authority], of all places?" Hypponen said in a blog post. "And when DigiNotar was auditing their systems after the breach, how on earth did they miss the Iranian defacement?"

The hackers were probably looking for information on Gmail, Google Docs, and Google+ users, Hypponen suggested. "It's likely the government of Iran is using these techniques to monitor local dissidents," he said.


Get the latest technology news and analysis, blogs and reviews delivered directly to your inbox with ZDNet UK's newsletters.

Topic: Security

Tom Espiner

About Tom Espiner

Tom is a technology reporter for ZDNet.com. He covers the security beat, writing about everything from hacking and cybercrime to threats and mitigation. He also focuses on open source and emerging technologies, all the while trying to cut through greenwash.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

0 comments
Log in or register to start the discussion