Comodohacker Compromises Certificate Authority DigiNotar

When you are banking online, you assume your data is secure.

You see the lock symbol at the top of your browser and the “https” at the beginning of the Web address and you also assume that the website is what it says it is.

That is because any website involved in e-commerce has to get a Certificate of Authority, which is issued by a network of Certificate Providers around the world.

So, it was a bit disturbing to learn that recently, a Dutch provider of Certificates of Authority, called DigiNotar by hacked by a man claiming to be from Iran.

He is known as Comdohacker and DigiNotar ended up handing out more than 200 fake certificates of authority to Comodohacker for sites like Google, the CIA and Yahoo.

Anchor Lisa Mullins talks to Danny O’Brien who is following the story of Comodo hacker for The Committee to Protect Journalists.

Read the Transcript
The text below is a phonetic transcript of a radio story broadcast by PRI’s THE WORLD. It has been created on deadline by a contractor for PRI. The transcript is included here to facilitate internet searches for audio content. Please report any transcribing errors to theworld@pri.org. This transcript may not be in its final form, and it may be updated. Please be aware that the authoritative record of material distributed by PRI’s THE WORLD is the program audio.

Lisa Mullins: Many of us do some form of business on the internet.  We might use online banking or buy something from a website, and when we do we’re told to make sure that our browser is secure; for instance, make sure that the lock symbol is up at the top of the browser or the https is at the beginning of the web address. We also assume that the website is what it says it is.  That’s because any website involved in e-commerce has to get something called a Certificate of Authority.  Those certificates are issued by a network of certificate providers around the world.  So it was disturbing to learn recently that a Dutch certificate provider called DigiNotar was hacked by a man claiming to be from Iran. He’s known as Comodohacker.  He allegedly got his digital hands on more than 200 fake certificates, including one for Google.  That can be used to create a fraudulent Google site. Danny O’Brien is following the story of Comodohacker for The Committee to Protect Journalists.  He says the fake Google site is significant because Google’s email program, gmail, is the preferred method of communicating among independent journalists and activists in Iran.

Danny O’Brien: A lot of people use Google’s email to communicate and communicate securely in countries like Iran because the whole of their email system uses https, so in theory what’s called the man in the middle, someone in between Google wouldn’t be able to spy and spay on that.  But once a system is broken they’d be able to see the emails that you were reading and they would be able to obtain your password.

Mullins: And so how did the Comodohacker find a market for the certificates he stole?

O’Brien: Well, that’s the big question here.  The reason why the Comodohacker is called the Comodohacker is because he’s actually done this before at a company called Comodo, and that company posted an analysis where they claimed that it was almost certainly the Iranian government that was pursuing this in fact. And the speaker of Comodohacker popped up and said well, actually no, it was just me.  I’m 21 years old.  I am super powerful in this sort of like hacker provider way, and I was acting alone and I did this through exploiting some very trivial errors that you made.

Mullins: So nobody caught up with him then?

O’Brien: No, no, no, well we know he’s in Iran, but what’s significant about this particular attack, shortly after we first found out about this attack a company, Foxit, did some analytics and realized this certificate was being used to fake Google for hundreds and thousands of Arabian users.  Now, that’s not something that an individual 21-year-old hacker could do on their own. That’s something that requires the cooperation of at the very least one internet service provider, probably a state run service provider in Iran.

Mullins: Danny, who is ailing most because of the actions of this Comodohacker?

O’Brien: Well, honestly it’s the journalists, readers and activists who have been using these services in Iran in the belief that they were communicating securely.

Mullins: You mean Iranian journalists in particular?

O’Brien: Yes, absolutely, anybody in Iran who thought they were communicating securely for a period of week that had this information swept up in sort of dragnet surveillance by what we presume is the Iranian authorities.  They are definitely people that most lost out in this fiasco.

Mullins: Could you, has The Committee to Protect Journalists noticed a chilling effect or actual jailing as a result of journalist information within Iran not being as secure as those journalists thought it was?

O’Brien: No, what tends to happen with surveillance like this is that there’s a very slow process.  In no country do you get a situation where somebody is being spied on and the moment they say something they’re instantly bundled off into a prison.  Generally, speaking surveillance like this used to collect information that will then be used against people. One of the key things here is passwords, right?  Many people use the same password on many different services and the password that you used to unlock your Google mail account is usually the same password that you use in any other context.  So, if people don’t change those passwords in Iran that could unlock all kinds of other information and continue to unlock it even now that the Comodohacker blasted through the security has been closed.

Mullins: Danny O’Brien is following the Comodohacker case for The Committee to Protect Journalists.

Copyright ©2009 PRI’s THE WORLD. All rights reserved. No quotes from the materials contained herein may be used in any media without attribution to PRI’s THE WORLD. This transcript may not be reproduced, in whole or in part, without prior written permission. For further information, please email The World’s Permissions Coordinator at theworld@pri.org.