Google is advising users in Iran to take specific steps in order to re-secure their Gmail accounts after last week’s reveal of the man-in-the-middle attacks that targeted Iranian users. The attackers used fraudulent SSL certificates issued by a compromised root certificate authority in the Netherlands, DigiNotar. These fake certificates allowed hackers to impersonate Google.com and others.
Google was only one of the domains affected in the breach. Attackers signed hundreds certificates for sites, including Facebook, Microsoft, Yahoo!, Tor, Skype, Mossad, CIA, MI6, LogMeIn, Twitter, Mozilla, AOL and WordPress. The Dutch government released a spreadsheet with a list of 531 entries of known bad certificates after the attacks. The full list is here on the Tor website.
Although Google, Mozilla and others moved quickly to remove DigiNotar as a trusted authority in their Web browsers, it was too late to protect users from the damage that had already been done.
Google tries to downplay the problem a bit in its blog post by stating that “users of the Chrome browser were protected from this threat,” but that’s not entirely accurate. They were protected after Google moved to revoke DigiNotar as a trusted authority, but there was still a period of time when users could have been compromised.
And the threat may still be present for those who have not taken action. As security research Graham Cluley explains, “even if hackers who broke into your Gmail account no longer know your password, there are still things they could have done while they had access to your email which will allow them to continue to monitor your communications.”
For that reason, Google is now suggesting that its Iranian users secure their accounts by taking the following steps:
Those who believe their account was comprised in the attack, can begin the recovery process here.
Update: Google PR responds that warnings issued by the Chrome browser (and others) altered the company to the issue in the first place. And Chrome users were protected from the start unless they chose to click through and ignore the “prominent certificate warnings” in their browser.
This is why Google is able to make such a claim, apparently. But the fact is if Chrome users were fully protected, there would be no need for the extra precautions, in my opinion. Chrome users were warned, yes; protected, no. Heck, just last week a less-than-technically-savvy friend of mine clicked right through one of those warnings (unrelated to this attack) and promptly got a virus.