Fake certificate puts Gmail users at risk

A fake web certificate has been circulating for nearly two months, allowing hackers to steal passwords and data from Google sites.

The certificate, valid for *.google.com, was issued in July by a reputable Dutch SSL certificate authority, DigiNotar. It could be used to carry out ‘man-in-the-middle’ attacks against users of Gmail and other Google services.

While users would believe they were logged in securely, the attackers could eavesdrop on their keystrokes to learn passwords and other confidential data.

The danger was first highlighted by a Gmail user in Iran.

“Today, when I tried to login to my Gmail account I saw a certificate warning in Chrome,” wrote Alibo. “I think my ISP or my government did this attack (because I live in Iran and you may hear something about the story of Comodo hacker!)”

In March this year, Iran was linked to the fraudulent issue of several SSL certificates from Comodo. While Comodo initially suggested that the Iranian government was the culprit, a solo Iranian hacker later claimed responsibility.

However, this is the first time that a fraudulent certificate is known to have been used in the wild.

“The good news is that the computer security community is now taking this threat very seriously. Unfortunately, the bad news is spectacularly bad: users in Iran (or on any network where an eavesdropper had the key to this certificate) may have been vulnerable for two months,” say Seth Schoen and Eva Galperin of the Electronic Frontier Foundation.

“What’s more, there are hundreds of certificate authorities in dozens of jurisdictions, and several have been tricked into issuing false certificates. So there may well be other certificates like this out there that we don’t know about. That means almost all internet users are still vulnerable to this sort of attack.”

Google says it is now marking DigiNotar as untrusted in the next release of Chrome; Mozilla is doing the same in new versions of Firefox, Firefox Mobile and Thunderbird.