Did The Iranian Gov't Try To Create A Massive Man-In-The-Middle Attack With Faked Certificates?
from the getting-sophisticated dept
A few months back, we talked about how the Tunisian government tried to do a massive hack on Facebook to access the communications of protesters and activists. It looks like the Iranian government tried to do something similar, figuring out a way to get bogus SSL certificates for Google, Yahoo, Skype and others, which would have allowed the government to set up a man-in-the-middle type attack to get passwords and access otherwise “encrypted” content. While this was discovered, it does suggest the levels that some governments will go to in order to spy on users online. More importantly, it highlights some of the serious problems with the certificate authority model of trust and security online. So here’s the big question: how do we prevent these types of things from happening?
Filed Under: certificates, iran, man in the middle, security, ssl, trust
Comments on “Did The Iranian Gov't Try To Create A Massive Man-In-The-Middle Attack With Faked Certificates?”
Q: how do we prevent these types of things from happening?
A: don’t live in Iran
Re: Re:
Not really an option since to whatever country you go, they also have the same capabilities and if the CA authority is in the country in question then you probably are better of inside Iran in that case concerning your privacy.
sneaker net!
Re: Re:
Never underestimate the bandwidth of a truckload of tapes!
Re: Re: Re:
Hmmm…I much prefer USB HDD stands.
http://i01.i.aliimg.com/photo/v1/362919873/USB_3_0_SATA_HDD_Stand_Hard.jpg
2 TB at in a slim form factor.
Use a wonderful distributed DNS system where almost anyone can inject stuff without checking. That will surely help!
Re: Re:
Which has absolutely nothing to do with this.
Re: Re:
Thanx AC. That is not only helpful but also imaginative and insightful. ^_^
Without a doubt, there is nobody anywhere who could ever think of a way to provide a secure exchange of data in a world where distributed DNS is more prevalent than it is today.
/sarc
Re: Re:
Look at BitCoin and Osiris SPS and how they solved those issues.
BitCoin is even used for anonymous financial transactions in the real world.
I expect every thing
From Iran you can Expect anything they live on the dirty and destroy their neighbour, I live in Iraq and Know this kind of people what they are
This is probably one of the legitimate ‘flaws’ of the way the internet is structured. It’s essentially defaulted to trust. But that ‘flaw’ is also the major strength of the internet.
There is alot you can do to secure communication between two known parties. It gets significantly more difficult to ensure that the server you’ve connected to is who you think it is.
The existing model is actually pretty good (as we don’t hear about this thing all that often).
There are solutions for specific situations but I doubt it would scale to the entire interwebz.
The best would be to use an secure overlay like Retroshare, TOR, GNUNET or Herbivore.
SSL is just not that secure with governments they have the resources to get in.
I am pretty sure this can’t be prevented. If you can get a Certificate Authority to issue a certificate for a domain then 99.99% of people won’t be able to tell if the certification is legit or not. Most people couldn’t tell the difference between certs issues by Verisign, Thawte, Startcom, or Comodo if they were shown the information and even those who could would still be hard pressed to guess which CA a website is using. I know Google uses Thawte and PayPal uses Verisign but that is it. CAs just need to keep up with their security I suppose.
Re: Re:
The 9 certificates that were issued were legitimate. Until they were revoked no one could have known. Once revoked, OCSP operating in your browser would take care of checking to see if they were on the revocation list. What I think you’re referring to is how people react when they see a notice that the certificate of a website has expired or has been revoked. Do you ignore it?
Re: Re: Re:
What I mean is that the Certs in question were from Comodo but Google uses Thawte Certs, Yahoo uses DigiCert Certs, etc. So while the Certs acquired from Comodo were “real” they were not legitimate.
Blacklist CA's
Perhaps one way to solve the problem at least in the short-term is to start getting the word out about CA’s that are untrustworthy due to unethical behavior (such as issuing fake certs for governments). Users have the option of removing these CA’s from their local cert stores. Perhaps if someone gets ambitious, they could create a service to do this for the “average user”. Perhaps we should push Google, Firefox, Microsoft, McAfee, AVG and other Browser, OS, anti-virus and security application developers to build such a service into their products. Let the “market” take care of the problem.
Re: Blacklist CA's
Get me a list of untrustworthy CAs and I’ll build an app that does it. Maybe Google will buy me and I’ll be rich….that’d be nice.
There's no evidence implicating the Iranian government
At least: not yet.
Any hacker worthy of the title is quite capable of launching their attack from zombies located anywhere…and zombies are everywhere, not just on consumer networks, but on corporate, educational, and governmental networks.
Some of the best discussion on this is happening on the NANOG list.
Re: There's no evidence implicating the Iranian government
Just the same, it’s more expedient to blame them, bomb them, and bury them. Except for higher prices for pistachios, their demise will go largely unnoticed.
Just downloaded a windows update about this yesterday. Funny that.
Monkey Sphere
I’m surprised nobody’s mentioned the Monkeysphere project in this discussion.
There are two ways to set up a trust model from what I gather: either trust an authority, or use a web of trust.
It appears the authority based model is not working at this point, so the alternative is the web of trust model.
To quote the Monkeysphere page:
?The Monkeysphere project’s goal is to extend OpenPGP’s web of trust to new areas of the Internet to help us securely identify servers we connect to(?)?
http://web.monkeysphere.info/
From that point, you can set different trust levels to different peers, the way you can in OpenPGP.
Oh, and maybe worth noting, you can also delete Certificate Authorities in Firefox (and others I guess).
Might make sense to only keep the ones you think *might* be doing their job of selling ones and zeros better than the others.
Now we should probably hope that they don’t block revokation URL and Microsoft’s patch yesterday on “transparent proxy” level, or their “fake e-cert” will continue to work.
The twitter user @ioerror has created a project on github called crlwatch. Worth checking out.
Re: Response to: Anonymous Coward on Mar 25th, 2011 @ 12:37am
Forgot to mention that @ioerror also works on Tor.