DigiNotar fake web certificates possibly created to spy on Iranians, say security researchers

Security researchers have uncovered evidence that fraudulent digital web certificates issued by Dutch root certificate authority DigiNotar were created with the aim of spying on people in Iran.



The fraudulent certificates were issued after a hacker gained access to DigiNotar's certificate infrastructure in July, although the breach was made public only at the end of August.

Researchers at security firm Trend Micro have identified a large number of compromised DigiNotar certificates being issued to Iran, which was a heavy user of the certificate authority, according to the BBC.

Researchers at security firm F-Secure said they suspected a link between the DigiNotar hack and the hacking of the Comodo certificate authority by an Iranian hacker earlier this year.

That connection has now been confirmed, they said, with the Comodo hacker claiming to have hacked DigiNotar and four other high-profile certificate authorities in a posting in his Pastebin account.

If the hacker has access to other certificate authorities, that means he is still able to issue new rogue certificates, according to the F-Secure researchers.

Because digital certificates are used to verify the identity of a person or device, authenticate a service or encrypt files, a fraudulent certificate may be used to spoof web content, perform phishing attacks or perform man-in-the-middle attacks to monitor web activity and communications.

Iran, with its tight controls on dissent, is known to monitor web traffic, but secure websites would ordinarily set off security alerts to the user through the browser.

However, by making the Iranian national proxy server appear to be the destination website using a fake DigiNotar certificate is one way around the problem, according to Rik Ferguson, Trend Micro's director of security research. The proxy then relays information to and from the real website, enabling monitoring without giving any indication that the secure chain has been broken.

The DigiNotar breach has raised concerns about the security of the certificate authority system, particularly as the number of fraudulent certificates has increased to include a number of national security agencies.

Initially, hackers were believed to have issued around 250 false certificates, but that number is now believed to be around 530, according to the Dutch government.

It now appears that the hackers signed more than 180 certificates that could have been intermediate certificates, masquerading as certificate authorities such as Thawte and Verisign.

The expanded list of domains for which fraudulent certificates were issued includes security agencies such as the US Central Intelligence Agency (CIA), the UK's MI6 and Israel's Mossad.

nb : computerweekly