Skip to main content
  1. Home
  2. Computing
  3. News

Fake DigiNotar certificates targeting Iranians?

Geoff Duncan
By
DigiNotar Iranian traffic surge (Trend Micro)

Computer security firm Trend Micro says fake digital certificates from compromised Dutch certification authority DigiNotar were part of a broad-scale man-in-the-middle attack targeting Iranian Internet users—and may have left political dissidents, activists, and others trying to bypass Iran’s online censorship regime vulnerable to eavesdropping.

DigiNotar catapulted into the news late last month when it was discovered to have issued a rogue certificate for Google.com, making it possible for third parties to carry out man-in-the-middle attacks on Google services—like Gmail—as if they were trusted and verified systems controlled by Google. Online security professionals tried to react quickly, but Trend Micro noticed something very odd about requests for domain validation through diginotar.nl: it’s a small firm that mostly serves customers in the Netherlands, so one would expect most of its domain validation requests to come from the Netherlands. And that’s true. However, beginning August 28 a significant number of Internet users requesting domain validation through DigiNotar were from Iran. No other countries saw any significant uptick in domain verification requests through DigiNotar.

The unusual spike in requests started on August 28, dropped off substantially by August 30, and was all but gone on September 2.

“These aggregated statistics [..] clearly indicate that Iranian Internet users were exposed to a large scale man-in-the-middle attack, where SSL encrypted traffic can be decrypted by a third party,” Trend Micro senior threat researcher Feike Hacquebord wrote.

Trend Micro also notes that several Web proxy systems in the United States—which are widely used by individuals wishing to access sites anonymously and without revealing their IP address or other details—were also sending Web validation requests for DigiNotar. Trend Micro speculates that these proxy services were being used by Iranian citizens seeking to work around government censorship—but the fake trust certificates would have meant their encrypted communications could have been intercepted anyway.

Trend Micro’s analysis is based on the company’s Smart Protection Network, which collects and analyzes data from Trend Micro customers around the world, including what domain names are accessed by customers at particular times.

Editors' Recommendations

Topics
Ranking all 12 versions of Windows, from worst to best
Windows 7 desktop.
Microsoft Word vs. Google Docs
A person using a laptop that displays various Microsoft Office apps.
How to schedule an email in Outlook
Scheduling an email in Outlook in Firefox on a MacBook.
The 6 biggest problems with ChatGPT right now
ChatGPT and OpenAI logos.
Best laptop deals: Save on Apple, Dell, HP and Lenovo
Woman using the Asus ProArt Studiobook on a desk.
Wi-Fi not working? Here’s how to fix the most common problems
the fbi wants you to reboot your router insecure getty
The best Chromebooks for 2023
Close up of the Chrome logo on the top of a Chromebook.
Best microSD cards in 2023: top picks for your computer, camera, or drone
galaxy s8 tips and tricks
The best game-streaming services for 2023
A Nintendo Switch connected to the internet.
If you think PCs are dying, you haven’t been paying attention
A laptop sits on a desk with a Windows 11 wallpaper.
What is ChatGPT Pro? Everything we know about its response to capacity issues
Close up of ChatGPT and OpenAI logo.
I built a couch gaming PC that puts the PS5 to shame — and you can too
A PC sitting next to a PS5 on a coffee table.
AMD Ryzen 7000: availability, pricing, specs, and architecture
A group shot of Ryzen 7000 CPUs.