Gmail users in Iran might have been affected today, based on several reports suggesting that Gmail.com connections were being hit by Man In The Middle(MITM) attacks.
I first spotted this notice on Hacker News where the submission had a link to pastebin.com containing details of the affected root server certificate. Google has since then confirmed the attempted attack on their blog.
Today we received reports of attempted SSL man-in-the-middle (MITM) attacks against Google users, whereby someone tried to get between them and encrypted Google services. The people affected were primarily located in Iran.
MITM or Man-In-The-Middle attacks are one of the most sophisticated attacks, where a third party can effectively eavesdrop & monitor all communication between two parties, without either of the parties knowing that they are being eavesdropped upon. In case of sites using SSL, such as Gmail – the attacker was able to get hold of a fraudulent certificate which is used for encrypting.
The certificate was issued by DigiNotar. Chrome users (on version 13 and above) were alerted of the fraudulent certificate by virtue of an inbuilt security feature called certificate pinning. Certificate Pinning maintains a whitelist of verified root Certificate Authorities which are trusted by Chrome in creating a connection to Gmail.com and Google accounts in general. Since DigiNotar was not in the whitelist of verified CAs, Chrome displayed an error message about the certificate being invalid
Mozilla have responded by pushing an update to Firefox which revokes the certificate’s trust. As a result of this, if a user visits the site presenting the fraudulent certificate, the user would be informed that the connection is not secure. Mozilla has also updated their knowledge base with an article showing steps involved in revoking the certificate.