In this blog posting, we present concrete evidence that the recent compromise of Dutch Certification Authority Diginotar was used for spying on Iranian Internet users on a large scale.
We found that Internet users in more than 40 different networks of ISPs and universities in Iran were confronted with rogue SSL certificates issued by Diginotar. Even worse: we found evidence that some Iranians who used software designed to circumvent censorship and snooping on traffic were not protected against the massive man-in-the-middle attack.
Rogue SSL Certificates for Man-in-the-Middle Attacks
SSL certificates are used for secure web sessions, like Internet banking and Google‘s Gmail. Certification Authorities issue SSL certificates and they check the authenticity of SSL certificates. In July 2011, hackers managed to create rogue SSL certificates for hundreds of domain names, including google.com and even the entire .com top level domain by breaking into systems of Certification Authority Diginotar in the Netherlands. This is very dangerous, as these rogue SSL certificates can be used in man-in-the-middle attacks where encrypted secure web traffic can be read by a third party.
On August 29 2011, the rogue Google.com SSL certificate issued by Diginotar was discovered. This rogue certificate makes snooping on Gmail traffic possible in man-in-the-middle attacks. Trend Micro has concrete evidence that these man-in-the-middle attacks happened indeed on a large scale in Iran.
Our evidence is based on data which the Trend Micro Smart Protection Network has collected over time. The Trend Micro Smart Protection Network constantly analyzes data from feedback loops of millions of customers around the world, including what domain names are accessed from what parts of the world at what time. This feedback data makes it possible to protect against newly seen attack vectors within the blink of an eye.
Attack Targeted Iranian Users
For domain validation.diginotar.nl, we see a very remarkable pattern in recent weeks: it was mostly loaded by Dutch and Iranian Internet users until August 30, 2011. Domain name validation.diginotar.nl is used by Internet browsers to check the authenticity of SSL certificates that are issued by Diginotar. Diginotar is a small Dutch Certification Authority with customers mainly in the Netherlands. We therefore expect that this domain name is requested by mostly Dutch Internet users and perhaps a handful of users from other countries. Not by a lots of Iranians.
From analysis of Smart Protection Network data, we see that a significant part of Internet users who loaded the SSL certificate verification URL of Diginotar were from Iran on August 28, 2011. On August 30, 2011 most traffic from Iran disappeared and on September 2, 2011 about all of the Iranian traffic was gone and Diginotar received mostly Dutch Internet users, as expected.
These aggregated statistics from Trend Micro Smart Protection Network clearly indicates that Iranian Internet users were exposed to a large scale man-in-the-middle attack, where SSL encrypted traffic can be decrypted by a third party. For example: a third party probably was able to read all e-mail communication an Iranian Internet user has sent with his Gmail account.
Closer analysis of our data revealed even more alarming facts: we have seen that outgoing proxy nodes in the US of anti-censorship software made in California were sending web rating requests for validation.diginotar.nl to the cloud servers of Trend Micro. Very likely this means that Iranian citizens, who were using this anti censorship software, were victims of the same man-in-the-middle attack. Their anti-censorship software should have protected them, but in reality their encrypted communications were probably snooped on by a third party.
Leave a reply