Iran engages in cyber warfare? Say it ain’t so…
An interesting article written by Jacob Applebaum of Tor and WikiLeaks fame popped up on my news feed recently, detailing a series of compromised SSL certificates that were issued by an RA in the Comodo trust chain. Essentially, the certificates pretended to validate domains such as google.com, skype.com, yahoo.com, and others. As Paul Roberts at Threatpost explains,
Registration Authorities are subordinate to Certificate Authorities, which issue SSL certificates. RAs are entrusted with the responsibility of authenticating the identities of parties who are being issued a certificate by the CA. In the latest Comodo incident, the attacker were able to falsely attest to the authenticity of the parties requesting the cert using the stolen RA login information.
The attack was quickly linked to the Iranian government, and while it’s not really possible to know exactly what their intentions were, all of my guesses are equally frightening. One possibility is that they were attempting to commit a Man in the Middle (MitM) attack against a dissident living within the country. If an attacker wants to fool you into connecting to their server instead of Gmail.com, one possible method of doing so is by using DNS to redirect gmail.com to their server’s IP address. If you connect via HTTP, your browser won’t raise any red flags — it trusts the DNS server to tell it the IP address of Gmail’s server. However, if you use HTTPS, you will immediately receive a warning that the attacker’s server has an invalid security certificate. This is because nobody besides Google should be able to get an SSL certificate issued to them for the gmail.com domain, and thus the domain on the certificate won’t match the domain displayed in the browser.
That’s what makes this breach so frightening — if an attacker is able to get a valid gmail.com SSL certificate, you would go to log in and have no idea that you were communicating securely with an attacker. Given Homeland Security’s penchant for snooping on American citizens, it’s not inconceivable that this sort of attack could eventually be perpetrated against Americans by their own government. Sounds a bit paranoid perhaps, but it certainly can’t hurt to use GnuPG with Thunderbird to secure your most sensitive communications.