Iranians spied on using rogue DigiNotar certificates

Posted by   Virus Bulletin on   Sep 5, 2011

Fake certificates signed for CIA, Mossad, Google, Facebook.

It is likely that Iranian Internet users have been spied on following a hack discovered at Dutch certificate authority (CA) DigiNotar last week, according to Trend Micro.

In July, a hack at DigiNotar resulted in a large number of fake SSL certificates being issued for popular domains, including Google, Facebook, Mozilla, the CIA, MI6 and the Mossad. The identity of these domains - as well as messages left by the alleged hackers - have led experts to believe that the Iranian government may have been behind the hack, with the intention of using the certificates to spy on dissidents. The fact that the certificates were not discovered until last week has caused many to worry that it has been successful in doing so.

When an Internet user connects to a website using HTTP over an SSL connection (HTTPS), the resulting traffic cannot be intercepted. However, HTTPS does not guarantee that the website at the other end is the one it claims to be. For instance, by hacking into DNS servers, traffic can be redirected to sites controlled by cybercriminals - or governments intent on spying on their citizens.

To prevent this from happening, the website presents the browser with an SSL certificate, which is signed using public-key cryptography by a CA. The public keys of a number of trusted certificates are stored in Internet browsers. Hence if an attacker gains access to a certificate for a popular domain signed by a trusted CA and is able to re-route traffic to that website, they can perform a man-in-the-middle attack that is unlikely to be noticed.

Data from Trend Micro suggests that this is indeed what has happened. The company noticed an unexpectedly large number of requests from Iran to, the domain used to check the authenticity of DigiNotar's certificates. Because DigiNotar's customers are mainly in the Netherlands, the vast majority of requests for that domain usually tend to be from Dutch users. On 2 September, after the certificates had been revoked and all major browsers had removed DigiNotar from their lists of trusted CAs, requests from Iran had all but disappeared.

The Dutch government, which used DigiNotar as a CA for most of its websites, held an emergency meeting on Friday night, during which it decided to stop working with DigiNotar. During the weekend, this led to a small number of issues, with for instance local councillors being unable to log into their webmail. It currently seems unlikely that Dutch Internet users have been a target of this hack.

For some time, experts have expressed concern about the security of certificates and labelled them the 'weak link' in secure Internet browsing. In March a hack at Comodo, another CA, also led to rogue certificates for popular domains being signed. This hack was also linked to the Iranian government.

Although it is currently unknown whether the Comodo hack was related to the DigiNotar hack, the fact that the Iranian Ministry of ICT recently launched new DNS servers may make many an expert feel uncomfortable.

Unlikely related, but slightly worrying in this context, is the fact that yesterday the DNS servers used by a number of popular UK websites (including the Telegraph and The Register) were hacked.

More at Trend Micro here, while F-Secure has more on the DigiNotar hack here, with more on Sophos's Naked Security blog here.

Posted on 05 September 2011 by Virus Bulletin



Latest posts:

VB2019 conference programme announced

VB is excited to reveal the details of an interesting and diverse programme for VB2019, the 29th Virus Bulletin International Conference, which takes place 2-4 October in London, UK.

VB2018 paper: Under the hood - the automotive challenge

Car hacking has become a hot subject in recent years, and at VB2018 in Montreal, Argus Cyber Security's Inbar Raz presented a paper that provides an introduction to the subject, looking at the complex problem, examples of car hacks, and the…

VB2018 paper and video: Android app deobfuscation using static-dynamic cooperation

Static analysis and dynamic analysis each have their shortcomings as methods for analysing potentially malicious files. Today, we publish a VB2018 paper by Check Point researchers Yoni Moses and Yaniv Mordekhay, in which they describe a method that…

VB2019 call for papers closes this weekend

The call for papers for VB2019 closes on 17 March, and while we've already received many great submissions, we still want more!

Registration open for VB2019 ─ book your ticket now!

Registration for VB2019, the 29th Virus Bulletin International Conference, is now open, with an early bird rate available until 1 July.

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.