“Among the domains listed [for fake certificates] are Google, Facebook, Twitter and Skype.”
Twitter and Facebook have been key organizing tools for protests, including the current bane of the regime’s existence, water fights. An update on this story. “Fake DigiNotar web certificate risk to Iranians,” from BBC News, September 6:
Fresh evidence has emerged that stolen web security certificates may have been used to spy on people in Iran.
Analysis by Trend Micro suggests a spike in the number of compromised DigiNotar certificates being issued to the Islamic Republic.
It is believed the digital IDs were being used to trick computers into thinking they were directly accessing sites such as Google.
In reality, someone else may have been monitoring the communications.
Hundreds of bogus certificates are thought to have been generated following a hack on Netherlands-based DigiNotar.
The company is owned by US firm Vasco Data Security. […]
Unconfirmed information published online suggested that more than 500 false DigiNotar certificates exist.
Among the domains listed are Google, Facebook, Twitter and Skype.
At the same time, it was noticed that a sizeable portion of the Dutch company’s certificates were mysteriously going to users in Iran.
By August, 76.5% of DigiNotar validations were in the Netherlands. 18.7% were in Iran and 4.8% elsewhere in the world, according to security firm Trend Micro.
Iranian activity dropped off after the certificates were revoked.
DigiNotar eventually went public about the intrusion on 30 August, at which time most web browsers stopped recognising DigiNotar certificates altogether.
There are many reasons why Iran may have been targeted using the bogus certificates, according to security experts.
The republic’s tight controls on dissent mean that monitoring web traffic could yield useful information.
Iran’s internet setup also makes some types of interception easier, according to Rik Ferguson, Trend Micro’s director of security research and communications.
“All the internet traffic has to go through an Iranian government proxy before it goes out to the final destination.
“If you want to spy on normal HTTP traffic, that is not a problem – you get to see all the outbound requests and all the inbound responses,” he explained.
For secure websites, attempts to intercept would ring alarm bells with the web browser and therefore the user.
One option is to make the Iranian national proxy server look like it is the target website – using a fake DigiNotar certificate.
The proxy then relays information to and from the real website, e.g. Google.com, but there is no indication that the secure chain has been broken.
While much online debate has centred around the role of the Iranian authorities, there is no firm evidence to support such a theory.
However, a spokesman for the Dutch Interior Ministry, Vincent van Steen told the Netherland’s-based ANP news agency that the cabinet was looking into claims of Iranian government involvement….
The prior report posted here noted that the nature and magnitude of the attack would require access to infrastructure that small-time vandals and crooks would not have.