Close to 300,000 unique IP addresses from Iran requested access to google.com using a rogue certificate issued by Dutch digital certificate authority DigiNotar, according to an interim report by security firm, Fox-IT, released on Monday.
The rogue certificate, issued on July 10 by DigiNotar, was finally revoked on Aug. 29.
“Around 300.000 unique requesting IPs to google.com have been identified,” Fox-IT said. On Aug. 4 the number of requests rose quickly until the certificate was revoked on Aug. 29. Of these IP (Internet Protocol) addresses, more than 99% originated from Iran.
The list of IP addresses will be handed over to Google who can inform users that their e-mail might have been intercepted during this period, Fox-IT said.
Not only the e-mail itself but also a login cookie could have been intercepted, it added. Using this cookie the hacker is able to log in directly to the Gmail mailbox of the user and other services from Google.
“The login cookie stays valid for a longer period,” Fox-IT said. It would be wise for all users in Iran to at least logout and login, but even better change passwords, it added.
A sample of the IP addresses outside of Iran during the period were mainly Tor-exit nodes, proxies and other VPN (virtual private network) servers, and almost no direct subscribers, according to the report which analysed OCSP (Online Certificate Status Protocol) request logs.
Current browsers perform an OCSP check as soon as the browser connects to an SSL (secure sockets layer) website protected through the https (hypertext transfer protocol secure) protocol.
Tor is a distributed anonymous network used by people to prevent being tracked by websites or to connect to instant messaging services and other services when these are blocked by their local Internet service providers.
A total of 531 digital certificates were issued for domains that included google.com, the CIA, and Israel’s Mossad.
Google said on Aug. 29 that it received reports of “attempted SSL man-in-the-middle (MITM) attacks” against Google users, whereby someone tried to get between them and encrypted Google services. The people affected were primarily located in Iran.
Trend Micro, another security firm, said that domain validation.diginotar.nl was mostly loaded by Dutch and Iranian Internet users until Aug. 30. Domain name validation.diginotar.nl is used by Internet browsers to check the authenticity of SSL certificates that are issued by DigiNotar.
From analysis of Trend Micro Smart Protection Network data, the company found that a significant part of Internet users who loaded the SSL certificate verification URL (uniform resource locator) of DigiNotar were from Iran on Aug. 28, but by Aug. 30 most traffic from Iran disappeared, and on Sept. 2 about all of the Iranian traffic was gone.
It became public in the evening of Aug. 29 that a rogue .google.com certificate was presented to a number of Internet users in Iran, according to the Fox-IT report. The false certificate had been issued by DigiNotar and was revoked that same evening.
The hack implies that the current network setup and procedures at DigiNotar are not sufficiently secure to prevent this kind of attack, Fox-IT said. The most critical servers, for example, contain malicious software that can normally be detected by anti-virus software. The separation of critical components was not functioning or was not in place, it added.