Web

Forged security certificate targets Gmail users

Gmail-SSL-DigiNotar

A fraudulent Google security certificate has found its way onto the web, making it possible for hackers to access the accounts of Gmail users, reports CNet. The certificate is reportedly being used to target Gmail users located in Iran.

The Secure Sockets Layer (SSL) certificate was issued by Dutch security authority DigiNotar to unidentified attackers on July 10. The attackers apparently tricked DigiNotar into thinking the request for the SSL certificate was coming from Google, which prompted the security authority to release the certificate.

Armed with the SSL certificate, the attackers have been able to set up fake versions of Google websites — Gmail appears to have been the focus — which appear genuine to both users and users’ web browsers, which can detect fake websites that do not have the proper SSL certificate.

Known as a “man in the middle” (MITM) attack, this technique allowed the hackers to fool users into entering their real Gmail credentials into the fake site, giving them access to those users’ email accounts.

A Gmail user in Iran, who goes by the name “alibo” first posted the problem to the Google users forum.

“Today, when I trid to login to my Gmail account I saw a certificate warning in Chrome. I took a screenshot and I saved certificate to a file.” wrote alibo. “When I used a vpn I didn’t see any warning! I think my ISP or my government did this attack (because I live in Iran and you may hear something about the story of Comodo hacker!)”

The Comodo alibo refers to was a similar case, which took place back in March. Certificate authority Comodo issued a variety of fraudulent digital certificates for sites owned by Google, Yahoo, Microsoft and others. A 21-year-old Iranian claimed to have been responsible for the attack, saying his actions were in protest of US foreign policy.

In this most recent instance, Google has so far only touted the security prowess of its Chrome browser.

“A Chrome security feature warned the user of the invalid certificate and blocked them from visiting the attacker’s site. We’re pleased that the security measures in Chrome protected the user and brought this attack to the public’s attention,” a Google spokesperson told CNet. “While we investigate, we plan to block any sites whose certificates were signed by DigiNotar.”

Mozilla also responded to the attack, saying on its blog, “Because the extent of the mis-issuance is not clear, we are releasing new versions of Firefox… shortly that will revoke trust in the DigiNotar root and protect users from this attack. We encourage all users to keep their software up-to-date by regularly applying security updates.”

DigiNotar has so far remained silent on its mistake.

UPDATE: Google’s Information Security Manager, Heather Adkins, has released an official statement on the Google online security blog. It reads:

Today we received reports of attempted SSL man-in-the-middle (MITM) attacks against Google users, whereby someone tried to get between them and encrypted Google services. The people affected were primarily located in Iran. The attacker used a fraudulent SSL certificate issued by DigiNotar, a root certificate authority that should not issue certificates for Google (and has since revoked it).

Google Chrome users were protected from this attack because Chrome was able to detect the fraudulent certificate.

To further protect the safety and privacy of our users, we plan to disable the DigiNotar certificate authority in Chrome while investigations continue. Mozilla also moved quickly to protect its users. This means that Chrome and Firefox users will receive alerts if they try to visit websites that use DigiNotar certificates.

To help deter unwanted surveillance, we recommend that users, especially those in Iran, keep their web browsers and operating systems up to date and pay attention to web browser security warnings.

[Image via joingate/Shutterstock]

Product Review

It's not the sharpest tool, but the Surface Go does it all for $400

Microsoft has launched the $400 Surface Go to take on both the iPad and Chromebooks, all without compromising its core focus on productivity. Does it work as both a tablet and a PC?
Computing

Firefox 64 helps keep your numerous tabs under control

Mozilla officially launched Firefox 64 by placing new features into the laps of its users including new tab management abilities, intelligent suggestions, and a task manager for keeping Firefox's power consumption under control.
Computing

Here’s how to install Windows on a Chromebook

If you want to push the functionality of your new Chromebook to another level, and Linux isn't really your deal, you can try installing Windows on a Chromebook. Here's how to do so, just in case you're looking to nab some Windows-only…
Computing

Edit, sign, append, and save with six of the best PDF editors

There are plenty of PDF editors to be had online, and though the selection is robust, finding a solid solution with the tools you need can be tough. Here, we've rounded up best PDF editors, so you can edit no matter your budget or OS.
Computing

From beautiful to downright weird, check out these great dual monitor wallpapers

Multitasking with two monitors doesn't necessarily mean you need to split your screens with two separate wallpapers. From beautiful to downright weird, here are our top sites for finding the best dual monitor wallpapers for you.
Web

Google Translate updated to reduce gender bias in its translations

Google is changing how Google Translate offers translations. Previously when you entered a word like doctor, Translate would offer a masculine interpretation of the word. Now, Translate will offer both masculine and feminine versions.
Web

Encryption-busting law passed in Australia may have global privacy implications

Controversial laws have been passed in Australia which oblige tech companies to allow the police to access encrypted messages, undermining the privacy of encryption with potentially global effects.
Web

Can Microsoft’s Airband Initiative close broadband gap for 25M Americans?

A new report from the Federal Communications Commission (FCC) says that 25 million Americans do not have access to broadband internet. Of these, more than 19 million are living in rural communities. Can Microsoft help out?
Computing

Microsoft’s Chromium Edge browser may be adding your Chrome extensions

Fans sticking to Google Chrome because due to its vast extension library might be able to switch over to Microsoft's latest iteration of Edge, as a project manager confirms that the company has its eyes on Chrome extensions.
Computing

If you've lost a software key, these handy tools can find it for you

Missing product keys getting you down? We've chosen some of the best software license and product key finders in existence, so you can locate and document your precious keys on your Windows or MacOS machine.
Computing

Google+ continues to sink with a second massive data breach. Abandon ship now

Google+ was scheduled to shut its doors in August 2019, but the second security breach in only a few months has caused the company to move its plan forward a few months. It might be a good idea to delete your account sooner than later.
Social Media

‘YouTube Rewind 2018’ is about to become its most disliked video ever

YouTube is about to achieve a record it really doesn't want — that of "most-disliked video." Yes, its annual recap of featuring popular YouTubers has gone down really badly this year.
Computing

Want to save a webpage as a PDF? Just follow these steps

Need to quickly save and share a webpage? The best way is to learn how to save a webpage as a PDF file, as they're fully featured and can handle images and text with ease. Here's how.
Mobile

5G: Why everything is about to change

Curious about the many ways 5G will change and enrich your life? Here’s our guide to all things 5G.