Non-technical summary: The Iranian government appears to be getting increasingly sophisticated in their war on Internet dissidents. Notably, this is one of the first "in the wild" applications, by an authoritarian state, of an attack that has been widely forseen by security experts.
(Updated some links Tuesday)
(Updated "advice if you're in Iran" on Thursday. I have now written an article on this attack for the Royal United Services Institute, including a bit more international context)
What does a fake certificate mean?
This is evidence that somebody is engaging in a "man in the middle" attack against Iranians using GMail. This would allow the attackers to eavesdrop on users' email.
How could this happen?
The way that secure browsing works, when you connect to a website (say,
gmail.com), it proves its identity with a digital certificate saying who it is. This certificate is "signed" by some authority, saying the holder of that certificate is indeed the owner of the
gmail.comdomain. Your browser verifies this before connecting, and puts up scary warning messages if the certificate doesn't check out.
The "signing" is mathematically pretty watertight, but there are a large number of certificate authorities out there, and the average web browser trusts several dozen of them. Gain control of one of them, and you can sign any certificate you like.
This user is apparently being presented with a fake certificate for
gmail.comsigned by DigiNotar, a Dutch certificate authority. This would enable the owner of that certificate to pretend to be
gmail.com- without any scary warning messages, or any indication at all to the users that anything is amiss.
If an attacker with this certificate can get users to contact their servers instead of Google's, and forward all data to the real
gmail.com, the users would see no difference, but the attacker could then eavesdrop on the contents of the "secure" connection. (This includes harvesting their GMail username and password for future use - so it only has to be done once.)
The Electronic Frontier Foundation explains this vulnerability in more detail here.
Who is responsible?
This attack is relatively sophisticated - to pull this off, you need to either coerce or break into a certificate authority. (In this case, it was probably the latter, as DigiNotar is a Dutch company. Depending on how good the security at the certificate authority is, this probably doesn't need to be a physical break-in. The most responsible CAs will keep their private keys on an "air-gapped" network not connected to the Internet, but with dozens to choose from, you can probably find someone who doesn't.)
In addition, you need to change something such that when your victim enters
gmail.cominto their address bar, they connect to your malicious server rather than Google's real one. The easiest way to do this is to be the person that the user is asking, "Where is
gmail.com?" - that is, the ISP.
The fact that this attack is apparently localised to Iranian ISPs, and reportedly didn't appear when the user used a VPN to "tunnel out" (as is often done in China to avoid the censors there), support the hypothesis that this is an attack by the Iranian authorities.
In addition, an Iranian commenter on Hacker News reports that less sophisticated SSL man-in-the-middle attacks are commonplace, and that dissidents have been arrested based on private information probably gleaned from such intercepts. The emergence of more sophisticated attacks would therefore be a natural progression.
Why is this surprising?
Security experts have been warning about the possibility of these attacks for years, but it is surprising to see a relatively unsophisticated country like Iran taking the lead in actually deploying this stuff.
Part of the reason is actually because Iran's digital footprint is so small. This sort of interception, while not mathematically hard, takes nearly as many resources as serving the website you're intercepting. For a well-wired country like China, such interception is impractical on a drag-net scale. But Iran is small enough that these relatively expensive surveillance techniques are feasible.
Even the Iranian infrastructure is apparently struggling - the original report on the Google forums indicated that the fake certificate was only being offered for about half an hour to an hour each day, suggesting that they are spreading their interception resources hour-by-hour across segments of the population. But as I explained above, you only need to hit someone once.
100% coverage would have made the attack a bit more robust. But the indications are that the Iranian authorities are making progressive improvements in repressive technology, and are now actively exploiting a structural problem with encrypted communications on the Internet which will be very difficult to fix.
If you're in Iran...Just in case anyone's reading this from there:
- Update (Thursday 1st Sep): Update your browser - a new version of Firefox has been released, which does not trust the compromised DigiNotar certificate. This won't solve the problem in the long term, but immunises you against this particular attack.
- If you get warnings about "certificates" or SSL, believe them, and don't browse that site (or use a VPN or Tor). Current indications are that you'll be okay again in about an hour, so don't just click through.
- Get an encrypted VPN (Google for it).
- Enable two-step verification on your Google account. (That way, even someone who's swiped your password can't log into your account - they'd have to snoop you directly)
- Use Google Chrome, whose certificate-pinning feature alerted us to this attack in the first place
- If you want to be really careful, use Tor - it's slow, but pretty secure. Update: We now know that the Tor website was also targeted by this attack, so if you downloaded Tor in the last few days, you might have got a "poisoned" version. Update your browser (see above), and then download it again.
- Change your DNS settings as shown here (not foolproof, but makes it a bit harder to do the DNS hijacking part of the attack)