A malicious attacker that appears to be the Iranian government managed to obtain supposedly secure digital certificates that can be used to impersonate Google, Yahoo, Skype, and other major Web sites, the security company affected by the breach said today.
Comodo, a Jersey City, NJ-based firm that issues digital certificates, said the nine certificates were fraudulently obtained, including one for Microsoft’s Live.com, have already been revoked. A fraudulent certificate allows someone to impersonate the secure versions of those Web sites — the ones that are used when encrypted connections are enabled — in some circumstances.
The Internet Protocol addresses used in the attack are in Tehran, Iran, said Comodo, which believes that because of the focus and speed of the attack, it was “state-driven.” Spoofing those Web sites would allow the Iranian government to use what’s known as a man-in-the-middle attack to impersonate the legitimate sites and grab passwords, read e-mail messages and monitor any other activities its citizens performed, even if the connections were protected with SSL (Secure Sockets Layer) encryption.
The attacker tested the certificate for “login.yahoo.com,” but because it had been revoked, most browsers attempting to communicate with the site would see that it was not a trusted site, Comodo chief executive Melih Abdulhayoglu told CNET.
The spoofing would only work if the unknown perpetrators also operated the network, allowing them to use the Internet’s Domain Name System to to redirect innocent users to a fake Gmail.com site. That wouldn’t be a problem for a national government like Iran, which controls the telecommunications infrastructure, but means that the impact of such a security breach is limited.