Google Users Fall Victim to Man-in-the-Middle Attack

Originally posted at Barracuda Labs Security Blog

Yesterday reports began to
trickle in that Google users in Iran were victim to a man-in-the-middle attack
through the use of an illegitimate SSL certificate issued for “*.google.com”.
This is the latest in a series of events involving a hacked Certificate
Authority, but this time there was clear evidence that the fake certificate was
being actively used.  Details of the attack and consequences are being
written about extensively elsewhere, so we will give a brief overview and link
to those directly involved and others with particularly insightful analysis.

The certificate being used
was issued by a Dutch certificate authority, DigiNotar. The consequence is that
this CA has essentially been given the “death penalty”. Microsoft, Mozilla and
Google have removed the DigiNotar root certificate from their chain of trust
and certificates signed by them will have no more trust than one you generate
yourself.  It is good to see that those who have the strongest position
when choosing which certificate authorities to trust are doing the right thing
here, with a technology that so many people rely on for security, privacy and
economic reason a “one strike and you’re out” system is appropriate.  With
each attack similar to this one, we see that the current system of Certificate
Authorities is quite open to abuse with the combination of centralized and
opaque trust.  Compromises of that trust can have severe
consequences.  The system is clearly broken, and while some are working on
replacement solutions, it is what we have to use in the mean time.

Users are advised to remove
the DigiNotar root certificate.

Firefox:

http://support.mozilla.com/en-US/kb/deleting-diginotar-ca-cert

Chrome:

http://googlechrometutorial.com/google-chrome-advanced-settings/Google-chrome-ssl-settings.html

IE:

Some newer versions of Windows seem to be automatically checking a CRL and
therefore are able to provide protection without a software update: “All
supported editions of Windows Vista, Windows 7, Windows Server 2008, and
Windows Server 2008 R2 use the Microsoft Certificate Trust List to validate the
trust of a certificate authority. There is no action required for users of
these operating systems because Microsoft has removed the DigiNotar root
certificate from the Microsoft Certificate Trust List.”

However older versions of
Windows do not provide automatic protection:” Microsoft will release a future
update to address this issue for all supported editions of Windows XP and
Windows Server 2003.”

http://www.microsoft.com/technet/security/advisory/2607712.mspx

The DigiNotar root will be
being removed from relevant Barracuda Networks products.

 

Further reading:

Google Online Security
Blog: An
Update on Attemped Man-in-the-Middle Attacks

DigiNotar Response: Diginotar
Reports Security Incident

EFF: Iranian
Man-in-the-Middle Attack Against Google Demonstrates Dangerous Weakness of
Certificate Authorities

This entry was posted on Tuesday, August 30th, 2011 at 8:38 pm and is filed under Business, Contingency Plan, Customer Service, Email, Social Media. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.

Comments are closed.