Slashdot Mirror

← Back to Stories (view on slashdot.org)

Another CA Issues False Certificates To Iran

Posted by timothy on from the bad-juju dept.

arglebargle_xiv writes "Following on from Comodogate, we have another public CA issuing genuine false certificates to Iran, this time for Google. There's speculation that it's a MITM by the Iranian government, but given the existing record of CAs ready to sell certs to anyone whose check clears, it could just be another Comodogate." Another (anonymous) reader says, "What might be worrying is that the CA behind the forgery is the official supplier of most Dutch Government certificates, diginotar.nl. They are supposed to be very stringent in their application process. As a Dutchman, I'm very interested to see how this one plays out." Adds Trailrunner7: "The attack appears to have been targeting Gmail users specifically. Some users trying to reach the Gmail servers over HTTPS found that their traffic was being rerouted through servers that shouldn't have been part of the equation. On Monday afternoon, security researcher Moxie Marlinspike checked the signatures on the certificate for the suspicious server, which had been posted to Pastebin and elsewhere on the Web, and found that the certificate was in fact valid. The attack is especially problematic because the certificate is a wildcard cert, meaning it is valid for any of Google's domains that use SSL."

29 of 229 comments (clear)

  1. This is ridiculous by mysidia · · Score: 2

    Any CA that can't implement sufficient controls to prevent such shenanigans, should not be a CA in the first place. Needless to say i've changed my browser and OS settings to distrust the CA. I expect a serious explanation shortly, and short of some unusually extreme extenuating circumstances, I think all browser vendors and OS vendors should evict the CA immediately, to make an example of them.

    I am curious though.... did the CA fail to implement its CA CPSs, or did its Certification practice statement actually have a hole where such a thing could happen?

  2. Notary idea by 93+Escort+Wagon · · Score: 2

    I'm beginning to think some variation of Marlinspike's distributed notary system may actually be the way to go. This just can't be allowed to happen, given the importance of internet communication nowadays. If the CAs can't prevent this, it's time to find an alternative.

    --
    #DeleteChrome
    1. Re:Notary idea by HappyPsycho · · Score: 2

      What may be a better solution in the short term would be to examine the policies of browser / OS certificate acceptance policies. After something like this if it is found to be negligent or worse yet malicious on the part of the CA, they get dropped temporarily. As the number of offenses increases the drop time increases, if they behave good for a while the drop time is reduced. Similar to BGP dampening, where any sort of instability must be removed as soon as possible to prevent the whole system from crashing down.

      If they seriously start screwing up they will be out of business long before any sort of threshold is reached that they should be removed as a registry (why bother the regulators, let business forces rip them apart, always a more effective solution).

  3. This is considered surprising? by Targen · · Score: 5, Insightful

    Security people have since forever warned the rest of the world against the risks of blindly trusting centralized/hierarchical trust schemes. It's not the first time this happens. It won't be the last. And while standard practices remain as they currently are, we're all in the hands of whoever's got money and power, and governments tend to have a lot of both. Most of you might not care much about this since you probably live in places with decent governments*, but it's a real concern for an enormous portion of the world's population.

    *IN RELATIVE TERMS. I know many of the governments of the "free world" are guilty of all manners of despicable privacy violations with all manners of awful consequences, but please don't even attempt to compare these issues to the sorts of oppression that happen in full-blown totalitarian regimes.

    1. Re:This is considered surprising? by ibwolf · · Score: 2

      You're free because you can effect social change. Tell me with a straight face that there is a wide gulf between Iran and the West in that respect, and I shall laugh at you.

      It is difficult to effect social change in the west because most of us are, on the whole, content with things as they are. Sure, there is room for improvement, but (a few fringe groups aside) few of us want radical change. This is the essence of democracy.

      In Iran it is difficult to effect social change because if you seem even remotely likely to succeed in undermining the government they will crack down on you hard.

      Of course, democracy is somewhat flawed in that it involves giving people what they want and what people want isn't necessarily what is good for the whole (or even themselves). ("People are dumb, panicky, dangerous animals and you know it.") But that is completely different from an autocratic rule that puts the welfare of its citizens behind all concerns of the ruling elite.

      Democracy isn't perfect (and as practiced in the USA, could be improved notably), but it is still the best system we've got. Or to borrow a quote

      Many forms of Government have been tried and will be tried in this world of sin and woe. No one pretends that democracy is perfect or all-wise. Indeed, it has been said that democracy is the worst form of government except all those other forms that have been tried from time to time.

      I believe that Churchill was onto something there.

    2. Re:This is considered surprising? by gilboad · · Score: 2

      Let me start by pointing out that "nationalization of certain industries" goes against one of the basic principles of freedom (One that was actually acknowledged as such by the U.N.) - the right ownership of private property. I should also point out (at the risk of triggering the Godwin's Law) that the man-kind's worst totalitarian regimes (e.g. Nazi Germany, Lenin/Stalin's USSR) started by the nationalization of industry, land and private assets in the name of the "common people" as a first step in their attempt to re-model the society to match their perfect image (does who did not match their view ended up as slave laborers in Siberia or executed in Auschwitz)
      The reason I took the time to point this out is simple: You *assume* that your views are moderate and that are shared by 99% of the western world working class, while in-fact, you'd be amazed at how many people will consider these views to be radical and dangerous - and I'm not talking extremely wealthy people who "rather maintain the current order".

      Beyond that. your attempt to compare the brokenness of the Democratic system (and I don't doubt this fact) to the (very-short) life of a woman that somehow got blamed for infidelity or blamed for tarnishing the family-honor in Iran, Afghanistan or in the Gaza strip (let alone basic human rights, religious rights, etc) is amazing at best. I could only wonder how you view WWII and/or the cold war. (though I can easily guess).

      - Gilboa

  4. Stringent SSL verification process ... yeah right! by phoxix · · Score: 3, Insightful

    The idea behind the "Stringent SSL verification process" is that customers will pay a brand-name-trusted CA company to verify the SSL request is from who they claim to be.

    Even at *TEN THOUSAND* USD/EUR/GBP/etc per fake certificate, the price is too good for countries like Iran, China, etc for engaging in MITM attacks.

    The whole process is a scam outright....

  5. Penalty: instant deletion of the CA, surely? by robbak · · Score: 4, Insightful

    Surely, if any a fraudulent certificate evert shows up, then the public keys for the issuing CA should be instantly removed? Even if they are Verisign themselves, if a fraudulent certificate exists, then trust is lost, and they cannot remain.

    --
    Prediction for end of Universe #42: Fencepost error in Quantum_bogosort.cpp
    1. Re:Penalty: instant deletion of the CA, surely? by Spad · · Score: 4, Informative

      Mozilla, Google & Microsoft (at least, so far) have all now removed Diginotar from their list of trusted authorities in their respective browsers.

  6. Surprising? by Mensa+Babe · · Score: 5, Interesting

    The only thing I find surprising is that stories like this are not more common. Various government agencies all over the world have been using fake certificates literally for years. Those are usually targeted at specific individuals being under surveillance so those are one-time stunts, limited in time and in network visibility, but all of those certificates in order to be useful have to be issued by certification authorities that are in the trust chain of the popular web browsers (Firefox, Chrome, Explorer, Safari, Opera). The problem with SSL/TLS certificates is that any certification authority from any country can issue a certificate for any domain, and they do occasionally. Most of those certificates are used only few times so they don't get any attention but sometimes they do. The trust model in SSL/TLS is fundamentally flawed and I agree with Dan Kaminsky and Bruce Schneier that we have to completely abandon it in favour of a trust model based on a secure DNS system, where there is only one authoritative source of cryptographic certificate for any given domain, instead of thousands like we have today. I have been telling this for years and I can only hope that people will eventually wake up and listen after stories like this one.

    --
    Karma: Positive (probably because of superiour intellect)
    1. Re:Surprising? by John+Hasler · · Score: 2

      ...where there is only one authoritative source of cryptographic certificate for any given domain, instead of thousands like we have today.

      And therefor a single point of failure.

      I have been telling this for years and I can only hope that people will eventually wake up and listen after stories like this one.

      Yes, once government has control of that "one authoritative source" you won't hear about this sort of thing any more.

      --
      Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
  7. Convergence by unencode200x · · Score: 4, Interesting

    Another reason to take a good, long look at Moxie Marlinspike's Convergence system. Basically, it does away with CAs in favor of a trusted and anonymous notary-based system.

    See him speak about it at BlackHat USA 2011 here .(a really great talk, as always).

    Read about it here

    The official Convergence website (http://convergence.io/). The plugin (AFAIK) is not compatible with FF 6 yet.

    --

    Chance favors the prepared mind.
    Perfect is the enemy of good.
    1. Re:Convergence by GSloop · · Score: 2

      And when the DNS servers are subverted to point to bogus SSL certificates, then what?

      You do happen to know that you'll have to trust the government [ISP etc] not to mess with DNS, and a one-stop shop to subvert both your domain and your PKI is just what they'd like to have.

      SSL certs authenticated/served by DNS is not a fix, IMO - because DNS isn't any more secure from powerful interests than SSL is. [And it may even be less secure.]

      This truly is a hard nut to crack, and knee-jerk solutions like "tie it to DNS" won't solve the problem in any robust way.

      -Greg

    2. Re:Convergence by jonwil · · Score: 2

      with proper cryptographic protocols like DNSSEC, the only way to change DNS (and hence SSL certificates stored in DNS) without raising red flags is to actually change the DNS record itself. Any man-in-the-middle attacks by hackers, ISPs or foriegn governments (great firewall of china etc) will cause the DNSSEC chain-of-trust to fail.

      Now it might be possible for a bad guy to convince the DNS provider or operator to accept new cryptographic keys, DNSSEC signatures or DNS data but that is a lot harder than convincing a dodgy CA to issue a fake certificate for PayPal or Google.

      As for the US government, if the US government wanted to take action, they could use secret national-security apparatus to force a CA to issue a valid certificate just as easily as they could use it to force a DNS provider to change DNS

      Are DNSSEC certificates the magic bullet? No.
      But they do eliminate the possibility of rogue CAs being bribed or otherwise convinced to offer fake SSL certificates. And they eliminate the high costs of SSL certificates (dont like what your DNS provider wants to charge you to store certificates in your DNS record and sign it with DNSSEC? Just go to another provider, no need for it to be one of a handful of approved CAs)

      Show me ONE example (real or hypothetical) where a DNS record has been altered (with or without the cooperation of the DNS provider) by someone other than the legitimate domain owner (e.g. hackers, government etc) where storing certificates in DNS would make things worse than if the site was using current CA-issued certificates and I will accept your arguments.

    3. Re:Convergence by GSloop · · Score: 2

      Go ahead and actually read or listen to the talk.

      If you won't trust the SSL authorities, and I don't - then one would assume that trusting the registrars/TLD's/root/or country TLD's would be even more crazy.

      IMO, DNSSEC simply doesn't really solve the problem, and shouldn't be the "solution." We should look for and design something better.

      -Greg

    4. Re:Convergence by Onymous+Coward · · Score: 2

      Thanks for bringing this up. Every time we talk about SSL issues folks fail to bring up the notaries-based systems. (Even during the last /. article, which was really about Marlinspike's Convergence.)

      Additional information: Convergence is based on Perspectives.

      Network notaries let you see a diverse views of the public key(s) used by an HTTPS server over time.

      As an example, here are multiple views of Google's SSL.

    5. Re:Convergence by GSloop · · Score: 2

      Show me ONE example (real or hypothetical) where a DNS record has been altered (with or without the cooperation of the DNS provider) by someone other than the legitimate domain owner (e.g. hackers, government etc) where storing certificates in DNS would make things worse than if the site was using current CA-issued certificates and I will accept your arguments.

      Seriously? Sex.com was totally hijacked. There are literally thousands of cases where domains get owned. [And once you own the domain its DNS is certainly available for tampering.]

      Next, if you are willing to tamper with the whole chain, then nothing will help the user. Easily within reach for a government or serious party handling DNS - and there's no protection.

      Why settle for a half measure at best. We're going to have to redesign a whole set of things - lets really try to do it right and make the replacement agile. As MM points out. "Who are you going to trust and for how long." If you can't easily/gracefully [or even ever] change who you trust, then you probably have a problem.

      where storing certificates in DNS would make things worse than if the site was using current CA-issued certificates

      Man, what a high bar you have there for a "better" solution. 'It's better than the totally broken current system.'
      Your argument amounts to: "Well, yeah, rape sucks. We think you ought to get mugged and violently assaulted instead."

      Huh? Really?!
      Let's just assume CA's *are* worse than DNSSEC - just for the sake of argument.
      In that case that DNSSEC would be better than the sketchy CA's. But simply being a little better than what's currently in place shouldn't be where we set our aspirations in coming up with something new and better.

      How about, instead of aspiring to get violently assaulted, you work for something a LOT better.

  8. More acronyms, please by mmarlett · · Score: 3, Funny

    So, besides more Californias (CAs) offering more martinis-in-the-morning (MITMs) to confuse more octogenarians/septuagenarians (OSs), what does the Chicago Public School System (CPS) have to do with anything? Or is this one of those "hacker" things I've heard so much about?

    1. Re:More acronyms, please by mmarlett · · Score: 2

      Actually, this is real news if presented properly. I don't fault mysidia for that, really, but I do fault timothy. I mean, you are talking about international fraud that could affect billions of people, but the article is presented in such a way that it is only instantly readable by a few hundred people. I've been reading Slashdot since 1996, so I'm totally used to the jargon. And I figured it out — so have thousands (or millions) of others ... but there is no real burden on the poster to spell out a few acronyms that make no sense to even a general audience (of nerds). This is more egregious than usual is all.

    2. Re:More acronyms, please by mysidia · · Score: 4, Funny

      The Californians provide a document specifying their chosen Chicago Public School System, which is digested by THE POWERS THAT BE to decide if the Californian is trusted to introduce UAs (Utah and Alaskans) to servers and vice versa (partially based on their record of providing the proper tip amounts to their servers).

      The problem is, this particular Californian has taken to introducing fake servers to the UAs (Utahns and Alaskans).

  9. Mozilla wants to blacklist the CA it seems. by wvmarle · · Score: 4, Interesting

    I just looked through the bug report listed; at the end two very interesting comments:

    So it seems Mozilla is basically going to blacklist that CA. I think that's an appropriate response: the CA has proven that their methods are flawed, and that there certificates can not be trusted. This one has been found out; who knows whether there are more out there? I surely hope this is a one-off incident but better safe than sorry. And it sends the message nice and clear to other CAs that they have to be really careful.

    As of 9:26pm PDT this bug report has made the frontpage of slashdot.org [...] Please address this issue immediately.

    A Slashdot side-effect :)

  10. bit of a red flag? by slashmydots · · Score: 2

    I'm not that informed on how certs work but if someone goes to a dutch CA and says they want a cert related to Google, wouldn't that be the one they'd double or triple check just in case it's not really Google? I mean, it's Google. Nobody doesn't know them and they wouldn't just randomly pick up a cert from a random foreign country, right? Or do they need muliple certs around the world or something so it wasn't that unusual? Either way, it's not that hard to make sure a google certificate isn't being requested from Iran...I mean, they're kinda different and easy to follow up on over the phone.

    1. Re:bit of a red flag? by jimicus · · Score: 2

      And on the rest... sure, should have raised plenty of red flags. Why would a US company ask a Dutch CA for a certificate? Why would an established site need a new or an extra certificate - a wild card (*.google.com) cert to boot? Now I have no idea how a CA certifies that the requester is actually the owner of a certain domain, it certainly failed badly in this case.

      Go buy a certificate some time. There are LOTS of CAs out there who will complete the transaction and give you a certificate in seconds. We'd like to believe that such CAs have some sort of process in place that flags up potentially fraudulent requests for human verification, but as this sort of thing demonstrates that's obviously not the case.

  11. Re:And thus you find out the real security weaknes by tftp · · Score: 2

    if you have gold-plated wenches, you end up with a James Bond movie.

    The sad fact is that you don't even have to buy them gold-plated. They happily do that on their own, at your expense.

  12. Non-sequitor by Mathinker · · Score: 2

    Everyone accepting self-signed certificates without checking who created them is going to make us all more secure against governments?

    The problem is with the current trust model itself, as others have noted here. Changing it to blindly trusting everything isn't going to improve the situation (and that is what you are proposing, for Joe Sixpack, anyway).

  13. Oh Good by thegarbz · · Score: 2

    Oh Good. We can visit something such as Gmail.com with a fraudulent certificate and no one would notice. But god forbid I self sign my home webserver certificate, that must be met with a wrath of a bright red page warning me about the dangers of a possible man in the middle attack and that no one should visit my site under any circumstances!!! /rage

    But on a more serious note shouldn't this right now be a clear indication to those in defense of using SSL / TLS to establish identity that their system is horrendously flawed and that maybe self signed certificates are in fact not any worse then any certificate verified by a picture of Ben Franklin?

  14. Mozilla, Google, MS all agreed to remove the CA by yuhong · · Score: 4, Informative

    http://blog.mozilla.com/security/2011/08/29/fraudulent-google-com-certificate/
    http://googleonlinesecurity.blogspot.com/2011/08/update-on-attempted-man-in-middle.html
    http://www.microsoft.com/technet/security/advisory/2607712.mspx

  15. Liability by Anonymous Coward · · Score: 2, Interesting

    Question for lawyers. If I bought a certificate from DigiNotar, can I sue them for damages? My certificate is unchanged so I have not been directly damaged. However, their business model is based on trust and once they are blacklisted, my cert while not be useful.

  16. lovely by roman_mir · · Score: 5, Insightful

    I love how every time when the discussion is brought up that browsers need to stop treating https with self signed certificates worse than they treat plain http (just don't show the lock icon, show an icon for the fingerprint, which would make it easy to display the fingerprint for comparing it to a known one), some fool immediately starts talking how browsers must treat https with self signed certs worse than http because https without CA means that your session is vulnerable to the MITM.

    Of-course when it is pointed out that CA does not guarantee that there is no MITM either, the discussion dies out but the opinions never change.

    Well how much longer will the opinions can stay the same with all the evidence that CAs do not in fact guarantee that there is no MITM?

    More importantly: who is talking about browser being responsible to figure out whether there is MITM or not with a https and a self signed cert?

    This cognitive dissonance needs to be eradicated.

    --
    You can't handle the truth.