Hackers passed themselves off as the Internet giant Google with the apparent goal of snooping on people using Google services in Iran, the company said.
It was the latest in a string of breaches that call into question the reliability of certificates that are supposed to verify the authenticity of Web sites. Such breaches make dissidents and human rights workers particularly vulnerable because they can allow repressive regimes, or supporters of those regimes, to spy on their online activities.
In this case, the attackers hacked into the site of a Dutch company, one of many that have the authority to issue the digital certificates, and obtained one that they used to impersonate Google. When users in Iran went to a Google site, including Gmail and Google Docs, they could be intercepted by the impostors in what is known as a man-in-the-middle attack.
In a statement posted late Monday night on its security blog, Google said those affected “were primarily located in Iran.” It did not offer further details.
The Web site certification firm, DigiNotar, revoked the fraudulent certificate as soon as the attack came to light, Google said.
F-Secure, a security firm, said on Tuesday that it had found evidence that hackers had left their mark on DigiNotar’s Web site, scrawling the digital equivalent of graffiti and calling themselves “Iranian Hacker.” But it said the pages in question had been on the site for years and were probably unrelated to the certificate problem.
Companies like Google are keen to reassure their customers that their online communications are secure, but breaches like this highlight the vulnerability of the system.
More From This Section
Similar man-in-the-middle attacks have been used to get between e-commerce sites and their customers to steal credit card numbers and other personal information.
A range of government entities and private companies worldwide are authorised to issue authentication certificates. Another issuer was attacked earlier this year by a hacker who said he was a patriotic Iranian.
Security experts have been calling for an overhaul of the system. Earlier this year, Google proposed allowing Web site owners to specify which entities could issue certificates for their sites.
©2011 The New York
Times News Service