Certificate attack targets Gmail
A Dutch certificate authority has confirmed that it suffered an attack that saw fraudulent SSL certificates issued for “a number of domains, including Google.com”.
The breach of the certificate protocol could leave Gmail users open to a man-in-the-middle attack, where traffic is rerouted through another domain, but the alteration would go unnoticed by the end user’s browser because the fake site has a valid SSL certificate.
Google said only users in Iran were likely to be impacted by the problem, but the security breach highlights the danger of certificate authorities being attacked by organised hackers.
Certificate authority DigiNotar said it had “detected an intrusion into its Certificate Authority (CA) infrastructure, which resulted in the fraudulent issuance of public key certificate requests”.
We have received reports of attempted SSL man-in-the-middle attacks against Google users, whereby someone tried to get between them and encrypted Google services
The company said it has since revoked the fraudulent certificates, but given that security experts have shown the attacks go back months if not years, more cases could emerge.
Google has issued a warning to end users, advising that they could remain exposed if they are using some browsers.
“We have received reports of attempted SSL man-in-the-middle attacks against Google users, whereby someone tried to get between them and encrypted Google services. The people affected were primarily located in Iran,” said Heather Adkins, information security manager at Google on a company blog.
“The attacker used a fraudulent SSL certificate issued by DigiNotar, a root certificate authority that should not issue certificates for Google (and has since revoked it).”
Google said Chrome users had been protected from spoof sites by technology within the browser and that the offending certificate had been removed from Firefox, too, so end users would see a warning if they visited spoofed pages.
According to security experts, the attack could have been intended to monitor end-user communications in Iran – either by the local Government or external agencies, and mirrored similar attacks on Google’s communications services earlier this year.
“What can you do with such a certificate? Well, you can impersonate Google,” said Mikko Hypponen, chief security researcher at F-Secure on his blog.
“But why would anybody want to intercept Google? Well, this is not really about the search engine at www.google.com. This is about the Gmail servers at mail.google.com and Google Docs at docs.google.com, and maybe Google+ at plus.google.com.
“We saw a similar attack in May. It’s likely the Government of Iran is using these techniques to monitor local dissidents.”