Skating on Stilts

Iran is to cyberwar what 1930s Spain was to airwar – contested ground where everyone tries out new technology and tactics.  After being on the receiving end of Stuxnet, which sabotaged the Natanz enrichment plant and showed that cyberweapons could replace cruise missiles, it looks as though the Iranian government has gone on the offensive.

The Dutch government’s electronic certification authority, DigiNotar, was compromised by a hacker in July of this year.  DigiNotar handled the hack badly, trying to fix the problem without disclosing it. As a result, DigiNotar's credentials are being revoked by all of the major browsers.  This means that most web users will not be able to verify the bona fides of any site that DigiNotar has vouched for.  That includes a lot of Dutch government sites, and there are some reports that the Dutch government is leaning on Microsoft to keep the credentials operative for another week.  It also means that DigiNotar will be either out of business or buried in lawsuits that could also reach its parent, VASCO Data Security International.

The hacker who pulled off the compromise has posted messages claiming that the hack was revenge for Dutch peacekeepers’ surrender of thousands of Muslim men to Serb militias during the Balkan wars; the men were executed. The hacker says nothing about Iranian government sponsorship.

So why do I think the Iranian government was involved?

To understand that requires a bit of background about the role of certificate authorities on the Internet.  One of Netscape’s cleverest technological innovations was its solution to the problem of Internet eavesdropping.  It used public key encryption to encrypt the channel between a website and each user.  The user could look up a site’s public key and use that key to encrypt all of the user's communications with the site.  (I’m oversimplifying here, but that’s the idea.)

The only problem was that the system was open to a “man in the middle” attack, where Mallory turns what's meant to be a secure link between Alice and Bob into two secure links with himself as a secret hub and Alice and Bob as unsuspecting spokes.

Put another way, if an Iranian user asks Google for its public key, and he uses it to encrypt his communications, how does he know that he's really using Google’s key?  If the Iranian government wants to read his Gmail, it could intercept his request and send him its own key.  He’d set up a secure channel with the government, which would then simply pass his login credentials on to Google.  For the rest of the session the government would sit in the middle, reading and passing on all the packets from both sides of the transaction.  Not good.

To prevent that, Netscape decided to bake a set of public keys into its browser.  The companies with the baked-in keys were certification authorities.  They could issue certificates vouching for the credentials of every site that wanted to offer secure, encrypted communications. 

It was a great system, lightweight and very secure.  But only if the certification authorities kept their credential-signing process completely secure.  If they didn’t, then users would not know who was at the other end of the line, the website they wanted or a man in the middle.

Occasionally, of course, some fraudster would use fake documents to persuade a certification authority to sign credentials for a site the fraudster didn’t own.  That sort of thing could be fixed pretty easily.  Browser providers had already recognized that there had to be a way to revoke website certificates obtained by fraud, so browsers now do an online check each time they use a certificate; in essence, they ask an online server whether the certificate they are about to use has been revoked. So a single fraudulently obtained credential can be rendered harmless as soon as the fraud is discovered.

What happened to DigiNotar was not so easily fixed.  It appears that the hacker gained control of the credential-signing process for some weeks during July of this year, and he signed credentials for hundreds of online sites, including Google, Microsoft, and the CIA.

Now, that’s deeply embarrassing, and it probably would have been enough on its own to spell the end of DigiNotar.  But what came next was even worse. 

Starting in August, according to investigators, online revocation checks for DigiNotar certificates jumped. Suddenly lots of people wanted to know whether the DigiNotar certificate for Google had been revoked.  This meant that hundreds of thousands of users were sure that DigiNotar was the authority that had signed Google’s credentials.  (In fact, Google signs its own credentials.) And 99% of the users asking about DigiNotar's certificate for Google came from Iran. (Even the 1% of requests that didn’t come from Iran seem to have come from proxies and TOR routers in other countries, meaning they too could have been Iranian users.)

Clearly a lot of Iranian users had been fooled into thinking that DigiNotar had issued Google’s credentials.  I can only think of one way that could happen – if the Iranian government and ISPs were systematically intercepting packets bound for Google and saying, in effect, “I’m Google. Here are my credentials, signed by DigiNotar.  Let’s go secure and foil any eavesdroppers.” The user’s browser would say, “Wait a minute while I check to make sure DigiNotar hasn’t revoked your DigiNotar credentials, Google… Ok, you check out, let’s talk.”  As soon as the user started sending his login name and password to the fake Google, the middleman would use those credentials to log in to Google, which would set up a secure communications channel with the middleman.  The entire session would be encrypted unbreakably at every point in the chain save the one that mattered:  the government listening post in the middle. The Iranian government would be sitting pretty -- Mallory between Alice and Bob.

Some observations, mostly additional reasons for thinking that this was an Iranian government operation, and what that means: 

• The notes posted by the DigiNotar hacker make him sound like a flake and a braggart, hardly the kind of postings you’d expect from the Iranian secret police. Maybe this is misdirection, or maybe he pulled off the exploit and then handed over his loot to the Iranian government, voluntarily or involuntarily. But the implementation of the man-in-the-middle attack was so quick and so smooth that it looks to me as though the hacker was working with the government from the start.
• The same hacker who compromised Diginotar claims to have carried out attacks on Comodo and Globalsign, two other certification authorities. Both companies agree that they were hacked, although Globalsign is not admitting that its credentials were compromised. Again, compromising certification authorities is a great idea if you're in the business of man-in-the-middle attacks; otherwise it's got mostly nihilistic look-at-me-trashing-your-infrastructure appeal, which might make you wonder why this hacker has specialized in such attacks if he doesn't work for the government.
• If this were an Iranian government op, the websites for which fake credentials were issued should be an Iranian government wish list -- all the places where it most wants to be in the middle between the site and Iranian users. If so, the point of the fake CIA certificate wasn't help hackers break into the CIA's network. The point was to impersonate the CIA on line – to lure dissidents into setting up an apparently secure communications channels with a foreign intelligence service.  Iranian government paranoia about the CIA’s influence is so profound it’s almost flattering, and the Iranian government probably is kidding itself that the election protests were the result of foreign meddling, not the government’s unpopularity. 
• In fact, the domains whose credentials were falsified do seem to be a kind of museum of Iranian government paranoia. Along with Google, Microsoft, and the CIA, the hacker made fake credentials for Mossad, MI6, Facebook, Skype, WordPress, Twitter, azadegi.com (an Iranian dissident site in Persian), Walla.co.il (a site in Hebrew), torproject.org, and Yahoo, along with others.  The full list is here.  In some ways, it’s an honor roll.
• It's also a tell -- more evidence that the attack on DigiNotar was government sponsored.  After all, if the DigiNotar hacker was really acting on his own, without government guidance, how did he manage to create so many certificates that would have so much value for an Iranian government man-in-the-middle attack?
• If this is cyberwar, it's an Iranian government war against its own people.  And a very dangerous one. The flood of revocation checks coming from Iran continued all through August, meaning that anyone in that country who logged on to Gmail or Hotmail or the other honor-roll sites has probably lost control of everything – not just emails they sent in August but their passwords, their stored emails, their stored files, anything that could be accessed by passwords they used in August.
• As a result, DigiNotar’s security breakdown could foretell a new human rights disaster, with hundreds of thousands of victims. And, since we know the IP addresses that checked DigiNotar’s certificates, we could probably identify each victim individually.
• Which raises this question: We know from the online revocation checks that three hundred thousand Iranian users were fooled into using fake  DigiNotar certificates for Google. The same information should be available for Microsoft, Facebook, and every other fake certificate that was issued by the hacker.  Those numbers are the big story, and I don't understand why reporters have dropped the ball on it, unless they don't appreciate its significance.
• Mozilla has done a particularly good job of dealing with this issue, communicating more details earlier than most browser companies. Most recently, it called on the certification authorities it bakes into its browser to audit their security -- and to put automatic blocks on some of the names, such as Google or Facebook, that are most likely to inspire man-in-the-middle attacks and least likely to change certificate authorities on short notice.  In contrast, Apple handled the whole affair pretty badly, taking days longer than the other big browsers to announce that it was revoking DigiNotar's credentials.
• Iranian dissidents probably could protect themselves from these attacks by installing a browser extension called CertPatrol, which warns you if a site you've visited before has suddenly changed its certificate authority.  CertPatrol likely would have told all those Gmail users that, instead of going to a "Google" site that Google vouched for, they were instead going to a "Google" site that DigiNotar vouched for. They could also protect their Google account by turning on Google's two-step verification process, which won't let you log on from strange IP addresses until you've typed in a separate code sent directly to your phone.

As always when I venture too far into technical territory, I am quite aware that there are fine points I may be missing.  I welcome corrections and comments.