Newsfeed
Nachrichtenbote
Diginotar is a Dutch Certificate Authority. They sell SSL certificates.
Somehow, someone managed to get a rogue SSL certificate from them on July 10th, 2011. This certificate was issued for domain name *.google.com.
What can you do with such a certificate? Well, you can impersonate Google - assuming you can first reroute internet traffic for google.com to you. This is something that can be done by a government or by a rogue ISP. Such a reroute would only affect users within that country or under that ISP.
But why would anybody want to intercept Google? Well, this is not really about the search engine at www.google.com. This is about the GMail servers at mail.google.com and Google Docs at docs.google.com and maybe Google+ at plus.google.com.
We saw a similar attack in May (via Certificate reseller instantssl.it in Italy). That case was tied to Iran. So is this one. It's likely the Government of Iran is using these techniques to monitor local dissidents.
Iran does not have it's own Certificate Authority. If they did, they could just issue rogue certificates themselves. But since they don't, they need such certificates from a widely trusted CA. Like Diginotar.
How was Diginotar breached? We don't know yet.
But here's something we just discovered.
This is a screenshot of the page online right now at https://www.diginotar.nl/Portals/0/Extrance.txt:
Diginotar's portal has been hacked. Somebody claiming to be an Iranian Hacker has gained access to it.
This would look like a smoking gun. Obviously this has to be connected somehow to the rogue certificate.
But if you keep looking, you'll find this page from https://www.diginotar.nl/Portals/0/owned.txt:
Another Iranian hacker group?
If you keep digging deeper, you'll find that although these web defacement are still live right now, they are not new. Much worse: they were done years ago.
Here's another one, done in May 2009 by Turkish hackers at https://www.diginotar.nl/Portals/0/fat.txt:
In fact, these hacks are so old, it's unlikely they are connected to the current problem. Or at least so we hope.
PS The news of the whole incident was first broken on Twitter by S. Hamid Kashfi (@hkashfi). He has blogged about man-in-the-middle attacks in Iran already in 2010. Here's his blog post from May 2010 (via Google translate).
PS2 More on problems with SSL as a whole in our previous blog post.
On 30/08/11 At 09:05 AM
Weiterlesen...
Somehow, someone managed to get a rogue SSL certificate from them on July 10th, 2011. This certificate was issued for domain name *.google.com.
What can you do with such a certificate? Well, you can impersonate Google - assuming you can first reroute internet traffic for google.com to you. This is something that can be done by a government or by a rogue ISP. Such a reroute would only affect users within that country or under that ISP.
But why would anybody want to intercept Google? Well, this is not really about the search engine at www.google.com. This is about the GMail servers at mail.google.com and Google Docs at docs.google.com and maybe Google+ at plus.google.com.
We saw a similar attack in May (via Certificate reseller instantssl.it in Italy). That case was tied to Iran. So is this one. It's likely the Government of Iran is using these techniques to monitor local dissidents.
Iran does not have it's own Certificate Authority. If they did, they could just issue rogue certificates themselves. But since they don't, they need such certificates from a widely trusted CA. Like Diginotar.
How was Diginotar breached? We don't know yet.
But here's something we just discovered.
This is a screenshot of the page online right now at https://www.diginotar.nl/Portals/0/Extrance.txt:
Diginotar's portal has been hacked. Somebody claiming to be an Iranian Hacker has gained access to it.
This would look like a smoking gun. Obviously this has to be connected somehow to the rogue certificate.
But if you keep looking, you'll find this page from https://www.diginotar.nl/Portals/0/owned.txt:
Another Iranian hacker group?
If you keep digging deeper, you'll find that although these web defacement are still live right now, they are not new. Much worse: they were done years ago.
Here's another one, done in May 2009 by Turkish hackers at https://www.diginotar.nl/Portals/0/fat.txt:
In fact, these hacks are so old, it's unlikely they are connected to the current problem. Or at least so we hope.
PS The news of the whole incident was first broken on Twitter by S. Hamid Kashfi (@hkashfi). He has blogged about man-in-the-middle attacks in Iran already in 2010. Here's his blog post from May 2010 (via Google translate).
PS2 More on problems with SSL as a whole in our previous blog post.
On 30/08/11 At 09:05 AM
Weiterlesen...