by Eva Galperin, Seth Schoen and Peter Eckersley

More facts have recently come to light about the compromise of the DigiNotar Certificate Authority, which appears to have enabled Iranian hackers to launch successful man-in-the-middle attacks against hundreds of thousands of Internet users inside and outside of Iran.

Existing web browsers, email clients and operating systems depend on Certificate Authorities (CAs), and the SSL certificates they produce, in order to know that you are really visiting the domain that you intended to visit. If these certificates are false, someone in control of a network can tamper with and spy on connections. A hacker who gets a certificate for mail.google.com, for instance, will be able to steal people's Gmail passwords and hijack their accounts. A hacker who gets a certificate for addons.mozilla.org or *.microsoft.com might be able to install malicious software on victims' computers. In fact, these kinds of attacks against Gmail happened on a massive scale during July and August of this year. DigiNotar's post-mortem by the Fox-IT firm produced the following map of the attack's 300,000+ victims:

EFF has been worried about structural flaws and systematic insecurity in the CA ecosystem for some time now, and our SSL Observatory project has been studying and documenting these problems. Sadly, they have now been demonstrated in a more pointed way.

How can I protect myself?

Until we have augmented or replaced the CA system with something more secure, all of our fixes to the problem of HTTPS/TLS/SSL insecurity will be band-aids. However, some of these band-aids are important:

  • The first thing that Internet users should do to protect themselves is to always install browser and operating system updates as quickly as possible when they become available.
  • Another useful step is to configure your browser to always check for certificate revocation before connecting to HTTPS websites (in Firefox, this setting is Edit→Preferences→Advanced→Encryption→Validation→When an OCSP server connection fails, treat the certificate as invalid).
  • Firefox users who are particularly concerned (and willing to do more work to protect themselves) may also consider installing Convergence to warn them when certificates they see are different from certificates seen elsewhere in the world and Certificate Patrol to warn them whenever certificates change — legitimately or otherwise.
  • Users of Google services in particular can choose to enable two-factor authentication, which makes it hard for attackers who steal Google passwords to reuse them later. Any user of Google service with a concrete concern that someone else wants to take over their Google accounts should consider using this protection.

Further details on the attack

SSL certificates are the glue that holds the encrypted portions of the Internet together — they are how your browser knows that the website you visit is the website you intended to visit. The official report on the attacks from Fox-IT includes data from DigiNotar that suggests that over 300,000 (primarily Iranian) Internet users may have been had their communications intercepted, but the danger to Internet users extends well beyond Iran.

The problem we face with Certificate Authorities is not just that there are particular vulnerabilites in any one CA. Rather, the massive structural crisis is that, as the SSL Observatory has shown, there are many hundreds of certificate authorities and an attacker only needs to break into one of those order to start issuing fraudulent certificates. Furthermore, these CAs appear to exist within around fifty countries' jurisdictions. Any one of these countries could conceivably compel a CA to create fraudulent certificates for purposes of espionage or for spying on that country's citizens. The DigiNotar hack has merely underlined how fragile the certificate authority system really is. Anyone who values the privacy and security of their communications and financial transactions online should take steps to protect themselves.

Statements have appeared strongly suggesting that the DigiNotar attacker is the same person who attacked Comodo earlier this year. The Tor Project has published extensive updates on the scope of the attack, including the list of the 531 fraudulent certificates issued by DigiNotar. This list shows that the attacker was prepared to facilitate spying against many major Internet sites. The attacker claims to be an individual Iranian who has chosen to help the government monitor individuals' communications. Additionally, he claims to have compromised four additional as-yet-unspecified certificate authorities. If true, the Iranian government may still have the power to forge new certificates in the name of these other authorities.

There has also been further confirmation that the attack was detected thanks to the pinning feature in Google's Chrome browser. This feature protected only Google's own sites, so users could have been (and may still be) vulnerable to attacks against other sites regardless of which browser they use. Users whose connections were attacked would not necessarily have noticed anything unusual, but the privacy of the information sent and received in their HTTPS connections would have been compromised, and information may have been altered.

Software downloads from the compromised websites are of special concern because an attacker can change the content of a software download to include spyware that continues monitoring the user's activity indefinitely. Since it seems clear that Tor was a specific target, the Tor Project has advised users who installed Tor in Iran recently to check the signature of their download. If you are a Tor user in Iran and can't check the integrity of your download or no longer have the downloaded file, we recommend that you should reinstall your operating system — not just Tor.

In the meantime, Google has advised that

...users, especially those in Iran, keep their web browsers and operating systems up to date and pay attention to web browser security warnings.

These are words to live by, especially given the uncertainty over SSL certificates. Major browser vendors have responded to the threat by updating their browsers to remove trust from the certificates involved in or related to the attacks, but updates are useless if people do not install them in a timely fashion. Software updates now regularly fix major security vulnerabilities, and browser warnings are there to protect you against real threats.

Certificate-based attacks are a concern all over the world, including in the U.S., since governments everywhere are eagerly adopting spying technology to eavesdrop on the public. Vendors of this technology seem to suggest the attacks can be done routinely. Similar attacks may have happened before — this attack is just the first whose details we know about. EFF's SSL Observatory has helped to map out the problem by showing the ways in which CAs are related to one another. Soon, we will launch the Decentralized SSL Observatory, which will offer a real-time method of detecting and protecting against these attacks. We will also have more to say about possible ways of cross-checking and fixing the CA infrastructure in a more sustainable way.