Around 300,000 unique IP addresses originating from Iran requested access to google.com using a rogue certificate which was issued by digital certificate authority DigiNotar. The report from security firm Fox-It was published yesterday. Google also issued a blogpost on the problem.
The rogue certificate was revoked on August 29th. Fox-It said in their report “Around 300.000 unique requesting IPs to google.com have been identified.” 99 percent of these were sourced to come from Iran.
The IP addresses were passed over to Google, so they could inform users that their email could have been intercepted during this period. As well as email addresses, the login cookie could very likely have been compromised meaning that Google services such as GMAIL could be accessed by unauthorised parties.
Fox-It said that the login cookie will stay active for a much longer time period and that people from Iran should change their passwords for security reasons.
According to ComputerWorld “A sample of the IP addresses outside of Iran during the period were mainly Tor-exit nodes, proxies and other VPN (virtual private network) servers, and almost no direct subscribers, according to the report which analyzed OCSP (Online Certificate Status Protocol) request logs.
Current browsers perform an OCSP check as soon as the browser connects to an SSL (secure sockets layer) website protected through the https (hypertext transfer protocol secure) protocol.
Tor is a distributed anonymous network used by people to prevent being tracked by websites or to connect to instant messaging services and other services when these are blocked by their local Internet service providers.
A total of 531 digital certificates were issued for domains that included google.com, the CIA, and Israel's Mossad.
The list of domains and the fact that 99 percent of the users are in Iran suggest that the objective of the hackers was to intercept private communications in Iran, Fox-IT said.”
Kitguru says: Chrome users were safe from the attack because it was able to detect the fraudulent certificate.