It was the second time this year that someone had fraudulently gotten access to private accounts. The previous time the target was also Iranian users.
The widespread assumption, although not provable, is that the Islamic Republic is trying to spy on suspected dissidents by reading their email.
Gmail is the free email system operated by Google. Google said late Sunday that for six weeks someone has been penetrating its Gmail service, primarily targeting users in Iran.
It said the effort to enter Gmail was first detected by a user in Iran who notified Google, which then started an investigation.
Google discovered that attackers had acquired a Secure Sockets Layer (SSL) certificate valid for access to any website in the google.com domain.
Private companies, known as certificate authorities (CAs), make money from issuing digital certificates to authorized users. In this case a Dutch CA, DigiNotar, issued an SSL certificate for the google.com domain on July 19, without Google’s knowledge.
Google uses a different CA, not DigiNotar, to issue certificates for its domains—and, as an additional security measure, it codes information about that issuer into its Chrome browser. This allowed a Chrome user in Iran to flag the DigiNotar-issued certificate as illicit.
Google said Sunday in a blog post that it had now configured its Chrome browser to revoke SSL certificates coming from DigiNotar while the company investigates.
DigiNotar said its internal security detected an unauthorized user entering its system and downloading certificates in July. It said security revoked those certificates, but apparently missed the one for google.com. It learned of that last week and has now revoked that certificate.
Computer security firm F-Secure noted there was a similar incident in the spring that was “tied to Iran” and “it’s likely the Government of Iran is using these techniques to monitor local dissidents.”
The spring attack involved a hacker’s intrusion into Comodo, another certificate issuer, who briefly obtained several certificate fraudulently.
F-Secure also said the intent would not be to monitor traffic to search engine google.com. “This is about the Gmail servers at mail.google.com and Google Docs at docs.google.com and maybe Google+ at plus.google.com,” it said.
Google was quick to point out that users of its Google Chrome program were automatically able to detect the fraudulent certificate and were protected.