We need to be certain that website certs are genuine

WIRED: LAST WEEK, Google chairman Eric Schmidt said he felt that Iranians and Syrians had no expectations of privacy online, …

WIRED:LAST WEEK, Google chairman Eric Schmidt said he felt that Iranians and Syrians had no expectations of privacy online, and so should not use services like the company's social network Google+, which looks increasingly set to expect its users to hand over their real names.

It seems that he’s right – even the careful cryptographic security that was built by Google programmers to protect the privacy of Google+ users was rendered moot by unknown attackers this week. Ironically, though, we would never have known if it wasn’t for Iranian Google users reporting back – and pseudonymously, too.

There was a time when it would have been difficult for the company to even admit to having users in Iran. US sanctions against the so-called “axis of evil” were so harsh that it was unclear whether any internet company could legally have Iranian customers, online or not.

But the law became a little more flexible last year, thanks to the Obama administration’s belief that US net companies played a key part in the 2008 protest against the Iranian presidential election results.

READ MORE

This greater permissiveness means Iranians have been allowed to download Google’s Chrome web browser – and therefore help uncover a dramatic attempt to undermine Google and other companies’ most secure communications.

The revelation began on Google’s tech support forums, from “Alibo”, a Gmail user who said he had seen a strange error when trying to visit Google’s webmail service via an Iranian internet service provider. Alibo had been using the latest version of Chrome, when it announced that the connection with Google’s US servers was untrustworthy due to an unrecognised certificate.

Digital certificates help ensure that secure web connections such as those to banks and e-mail services are not being hijacked by fake websites or wiretapped by criminals. To prevent forgery, these certificates are digitally “signed” by third parties.

These certificate authorities act like a global network of notaries. They are trusted to only sign certificates vouching for genuine websites. Only Microsoft gets a certificate for microsoft.com; only Google gets a certificate for google.com sites.

The certificate that the Iranian passed on wasn’t from Google, but it was signed by a trusted certificate authority, a Dutch company called DigiNotar.

If Alibo is to be believed, he saw this certificate being used, in the wild, in Iran. Nobody can yet prove that this is the case – but the certificate he sent to Google was as conclusive and damning as digital data can be. Such a fake certificate should not have existed, but it did. Either through fraud or a security breach, DigiNotar had handed someone else the power to masquerade and spy on the most private of traffic exchanged between Google and its users.

Passwords, search terms, e-mail, credit cards; all were up for grabs.

The imposters were not only able to fake Google’s identity. DigiNotar is slowly admitting that other sites were targeted.

This is not surprising. Earlier this year, fake certificates for PayPal, Hotmail and Google were issued to an Iranian citizen by Comodo, another “trusted certificate authority” that turned out to be unauthoritative and untrustworthy. Comodo detected the attack on its service after the fact, but was able to construct a list of certificates it had been duped into issuing.

DigiNotar’s case was even more worrying: its fake Google certificate was issued in early July, and it appears that the certificating company was unaware it had been misled until Alibo spotted the forgery.

Giving out a fake certificate is bad enough, but failing to detect it or warn others is far more damaging. Certificate authorities live or die on whether they are trusted by the major operating system and browser manufacturers. On Monday, Google, Mozilla and Microsoft enacted an “internet death penalty” on DigiNotar – instructing their web browsers to no longer trust any certificate signed by the Dutch company.

The unspoken question in the whole fiasco is: who stole the certificate? In the Comodo incident, Comodo itself was quick to point the finger at the Iranian government. Only something as powerful, as well-funded, and as persistent as Iranian cyber-spies could beat its defences, the company implied.

Shortly afterwards, a credible claim to be the source of the Comodo certificates was made by someone who said he was a young Iranian hacker, working alone.

He listed the vulnerabilities in Comodo’s infrastructure which he had exploited – all embarrassingly simple enough for a single hobbyist cracker to break into.

Few this time are blaming the Ahmadinejad administration without clearer evidence. That said, it is certainly true that the Iranian government has the motive and the opportunity to tap directly into internet traffic and insert a fake certificate.

The fake certificate created an error message in Alibo’s Chrome browser thanks to a new feature introduced by Google engineers in May. But Google itself was only able to find out about the attack when Alibo, the pseudonymous Iranian, reported it.

If Eric Schmidt thinks he doesn’t want or need at-risk Iranians with fake names on his service, he may want to think again. And if he thinks he can maintain security without paying attention to the needs or vulnerabilities of customers in Iran and Syria, he may want to talk to his engineers.

Security flaws like this are global: they only begin in Iran.