[SSL Observatory] SSL CA compromise in the wild

Ondrej Mikle ondrej.mikle at gmail.com
Sat Mar 26 19:49:19 PDT 2011


On 03/24/11 00:41, Jacob Appelbaum wrote:
> On 03/23/2011 04:32 PM, Chris Palmer wrote:
>>> On 03/23/2011 03:48 PM, Ali-Reza Anghaie wrote:
>>>> Inconvenient and annoying? Likely. But so is a 0300 knock and potato
>>>> bagged escort out of your home in Tehran, Iran.. -Ali
>>
>> Apparently some people in Syria were inconvenienced today when they
>> tried to use Facebook.
> 
> Could you share a little more about this with the list?

I'm posting this due to your explicit request (since it's a bit off-topic in
this list, however the intel-crypto perspective might be interesting):

I think Chris refers to years-long Syria's blocking of Facebook:

"Syria blocks Facebook over Israeli 'infiltration'":
http://www.msnbc.msn.com/id/22146918/ns/technology_and_science-internet/
http://uk.reuters.com/article/2008/03/13/oukin-uk-syria-internet-idUKL138353620080313?sp=true

Though the Syria's ban on FB has been oficially lifted in February, it has been
circumvented by proxies before:

http://www.charliebeckett.org/?p=4203


There is a connection to the Comodo CA fraudulent certs and "Iran incident":

Comodo claims *some* of the attackers' IPs belonged to Iran and one of the
fraudulent certs was seen in use in Iran -
https://www.comodo.com/Comodo-Fraud-Incident-2011-03-23.html ; but seeing
Iranian IPs or not seeing OCSP responder traffic does not imply anything as was
pointed out in Eckersley's EFF deeplinks blog. (Nevertheless, nobody can say it
was or wasn't Iran's operation for sure.)


Broader perspective:

Iran knows how to block TOR based on key-exchange packets:

https://blog.torproject.org/blog/update-internet-censorship-iran

MOIS (Iran's intel agency) most likely would not be so stupid to do such an
advanced attack from their own IPs (though mistakes do happen).

Bahraini diplomats, Saudi diplomats claim Iran as the "major cause" of the
recent protests, a significant source claiming this is STRATFOR (private intel
agency; the claims trackback to Bahraini/Saudi sources), two examples:

http://www.stratfor.com/analysis/20110325-update-protests-middle-east
http://www.stratfor.com/analysis/20110318-friday-protests-and-iranian-influence-persian-gulf

But the Bahraini claims have been "disproved" before:
http://crowdleaks.org/bahraini-government-fabricates-iranian-threats/

(Sorry for bringing a non-strictly-technical post here, but an answer was in
order - Jacob did an extensive analysis of the affected certs.)

Regards,
  OM



More information about the Observatory mailing list