Google issued warnings this morning of a possible man-in-the-middle attack against users attempting to access various Google services over a secured and encrypted HTTPS protocol. Google notes that the man-in-the-middle attacks appear to be “primarily located in Iran.”
HTTPS is the standard for encryption and requires a set of keys to work. The first key, a private key, is known only by the provider of the service. The second key, a public key, is verified by a third-party so it is known to be trusted and distributed in browsers. A verified public key can only decrypt a message signed by its private counterpart and vice-versa.
What Is a Man In the Middle Attack?
Image via CNET
A man-in-the-middle attack happens when a hacker compromises a connection between a user and the service they are trying to access – in this case, Google. The hacker uses fraudulent, but verifiable credentials, to the user, making the user believe he or she is talking Google’s servers.
However, the attacker actually intercepts the message (usernames, passwords, email contents, etc.), decrypts them with the hacked private key, then re-encrypts them with Google’s true public key and sends it on through to Google, where it’s received as normal. This go-between communication is what Google warned about in today’s announcement.
In this case, the fraudulent security certificate was issued by the formerly trusted DigiNotar. Since the news of this announcement, the Chrome team, Mozilla Firefox team and Microsoft’s Internet Explorer teams have jumped to update their browsers to revoke the trust of any certificates issued by DigiNotor.
The questions remain to discover is DigiNotar purposefully issued what they certainly had to know where falsified certificates, or if the service, itself, was hacked. Chester Wisniewski suggests the entire process for verifying those companies who issue certificates is untrustworthy.
Ironicly enough, last month Google started issuing warnings to webmasters who house malware that could initiate man-in-the-middle attacks.
Here are a few examples of what good certificates look like: