Did Iran Try to Compromise the Web?


Earlier this month, one of the big worries about the safety of the Internet came true -- at least partly.

Someone, possibly in Iran, tricked an Internet security authority to issue at least one, and possibly as many as nine, secure sockets layer (SSL) digital certificates -- proof that a site is really what it appears to be.

The exploit that enabled hackers to request the certificates was a very sophisticated one, according to Comodo, the root certificate authority (CA) whose partner issued the certificates. It may even point to attackers sponsored by a nation. Comodo is one of the largest Internet firms that register and administer SSL certificates.

Although there was no actual use of any of the purloined certificates to violate any of the sites that were targeted, the event is disturbing.

"March 15, 2011, a Comodo affiliate RA [registration authority] was compromised resulting in the fraudulent issue of 9 SSL certificates to sites in 7 domains," said a post to a Comodo blog Wednesday.

"Although the compromise was detected within hours and the certificates' validity revoked immediately, the attack and the suspected motivation require urgent attention of the entire security field," the post continued.

The attack focused on communications via DNS servers, Melih Abdulhayoglu, CEO of Comodo, told InternetNews.com. For instance, possibly intercepting users' emails.

"The [certificates] would be useless unless you had the ability to modify domain [addresses]," he added.

While the original request for the certificates came from an IP address in Iran and the certificate that was tested also had an Iranian IP address, Abdulhayoglu said he's not saying that the Iranian government was involved.

"This is the first time to my knowledge that we've seen state-funded attacks," he added.

Among the fraudulent certificate requests were ones for Microsoft (login.live.com), Google (mail.google.com and www.google.com), and Yahoo (login.yahoo.com), as well as Skype (login.skype.com) and Mozilla (addons.mozilla.org).

An incident report on Comodo's site, said that only one of the possible nine certificates -- they don't know how many were actually provided to the attackers -- was actually tested and, by the time of that attempt, its authority had already been revoked.

During the period when the certificates were valid, attackers could have used them to steal users' money or information.

"These certificates may be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks against all Web browser users including users of Internet Explorer," said a Microsoft Security Advisory issued Wednesday.

Microsoft and the other affected browser makers have already come up with updates that "black list" the addresses involved in the attack.

Microsoft issued one with the security advisory.

"We thank the certificate authority for disclosing this to us and enabling us to protect Chrome users," a Google spokesperson told InternetNews.com.

This is not exactly the first time that a foreign country has been alleged to have used the Internet to invade U.S. Web sites. In January 2010, certificate authority VeriSign made the claim that cyber attacks on Google were backed by the Chinese government, although there was never any acknowledgement that China took part.

"We now have a different threat model where we live under attack, not just by cyber criminals," Abdulhayoglu said.

Stuart J. Johnston is a contributing editor at InternetNews.com, the news service of Internet.com, the network for technology professionals. Follow him on Twitter @stuartj1000.