User: Password:
Subscribe / Log in / New account

Iranian government involvement?

Iranian government involvement?

Posted Sep 8, 2011 4:37 UTC (Thu) by quotemstr (subscriber, #45331)
In reply to: Iranian government involvement? by mbg
Parent article: Certificates and "authorities"

One of the forged certificates was for balitarin, a site heavily used by Iranian dissidents (and run by a friend of mine). Iran has also used techniques like DPI HTTP-proxy detection and blanket prohibition of SSL connections, and has repeatedly blocked GMail, Facebook, and other popular social media sites. I wouldn't be the least bit surprised to learn that the IRI had an SSL MITM program as well.

(Log in to post comments)

Iranian government involvement?

Posted Sep 8, 2011 5:37 UTC (Thu) by dannyobrien (subscriber, #25583) [Link]

The most compelling evidence are the logs of revocation checks at DigiNotar for the fake certificates[1]. The logs show, Fox-IT says, that over 200K unique IPs made a check, almost all in Iran, suggesting they were served the fake certificate when visiting Google. Here's the graphical depiction of what it shows:

That implies that an active MITM attack, proxied over the majority of Iranian net space. While it seems pretty clear that a single determined independent hacker could have broken through Comodo and DigiNotar's defences, rolling out this kind of pervasive infrastructural surveillance would require the complicity of multiple Iranian ISPs.

I think the best bet right now is what is now a depressingly common combination -- indie blackhats doing the penetrations, and state actors buying and deploying what they find.

[1] - Documented in the Fox-IT report here, which is short, damning, and well worth a read:

Iranian government involvement?

Posted Sep 8, 2011 9:03 UTC (Thu) by quotemstr (subscriber, #45331) [Link]

Thank you for linking to the report; it's as damning as you say. I'm actually surprised that the MITM attack was so brazen: I wonder whether more careful use of the forged certificates might have opened a longer window for more targeted surveillance. (Of course, such an attack may be ongoing, and I'd rate the likelihood of such a thing far higher than I would have three months ago.) If a complete and sustained CA compromise, a coverup, and a large-scale MITM attack don't lead to changes in how we allocate trust, it'll be hard to believe that anything else will.

Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds