In this blog post, we present concrete evidence that the recent compromise of Dutch certification authority DigiNotar was used to spy on Iranian Internet users on a large scale.

We found that Internet users in more than 40 different networks of ISPs and universities in Iran were met with rogue SSL certificates issued by DigiNotar. Even worse, we found evidence that some Iranians who used software designed to circumvent traffic censorship and snooping were not protected against the massive man-in-the-middle attack.

Rogue SSL Certificates for Man-in-the-Middle Attacks

SSL certificates are used for secure Web sessions like Internet banking and Google’s Gmail. Certification authorities issue and check the authenticity of SSL certificates. In July 2011, hackers managed to create rogue SSL certificates for hundreds of domain names, including google.com and even the entire .com top-level domain by breaking into the systems of certification authority DigiNotar in the Netherlands. This is very dangerous, as these rogue SSL certificates can be used in man-in-the-middle attacks wherein encrypted secure Web traffic can be read by a third party.

On August 29, 2011, the rogue Google.com SSL certificate issued by DigiNotar was discovered. This rogue certificate makes snooping on Gmail traffic possible in man-in-the-middle attacks. Trend Micro has concrete evidence that these man-in-the-middle attacks indeed happened in Iran on a large scale.

Our evidence is based on data that the Trend Micro Smart Protection Network has collected over time. The Trend Micro Smart Protection Network constantly analyzes data from the feedback of millions of customers around the world, including what domain names are accessed from which parts at a particular time. This feedback data makes it possible to protect against newly seen attack vectors in the blink of an eye.

Attack Targeted Iranian Users

In recent weeks, we saw a very remarkable pattern for domain, validation.diginotar.nl—it was mostly loaded by Dutch and Iranian Internet users until August 30, 2011. Domain name validation.diginotar.nl is used by Internet browsers to check the authenticity of SSL certificates issued by DigiNotar.

DigiNotar is a small Dutch certification authority whose customers mainly reside in the Netherlands. We, therefore, expect this domain name to be mostly requested by Dutch Internet users and perhaps a handful of users from other countries but certainly not by a lot of Iranians.

Analyzing Smart Protection Network data, we saw that a significant number of Internet users who loaded the SSL certificate verification URL of DigiNotar were from Iran on August 28, 2011. On August 30, 2011 most traffic from Iran disappeared and on September 2, 2011 almost all of the Iranian traffic was gone and DigiNotar received requests mostly only from Dutch Internet users, as expected.

These aggregated statistics from the Trend Micro Smart Protection Network clearly shows that Iranian Internet users were exposed to a large-scale man-in-the-middle attack wherein SSL-encrypted traffic can be decrypted by a third party. Because of this, a third party was probably able to read all of the email messages an Iranian Internet user sent with his/her Gmail account.

Closer analysis of our data revealed even more alarming facts like outgoing proxy nodes in the United States of anti-censorship software made in California were sending Web rating requests for validation.diginotar.nl to the cloud servers of Trend Micro. This very likely means that Iranian citizens who were using this anti-censorship software were victimized by the same man-in-the-middle attack. Their anti-censorship software should have protected them. In reality, however, a third party was able to spy on all of their encrypted messages.