Google users in Iran have come under fire from attempted man-in-the-middle attacks designed to harvest personal details, after a fraudulent certificate was issued by Dutch root certificate authority DigiNotar, forcing Google, Mozilla and Microsoft to alert customers.
The existence of the rogue certificate was first flagged on Sunday when a user named alibo posted to a Google thread about the SSL certificate, which was originally issued by DigiNotar on 10 July.
Google was then forced to respond on Monday, by which time DigiNotar had revoked the certificate.
"Today we received reports of attempted SSL man-in-the-middle attacks against Google users, whereby someone tried to get between them and encrypted Google services," wrote Heather Adkins, Google information security manager.
"The people affected were primarily located in Iran. The attacker used a fraudulent SSL certificate issued by DigiNotar, a root certificate authority that should not issue certificates for Google (and has since revoked it)."
Mozilla moved to block the certificate in Firefox, while Microsoft issued a security advisory saying that it had removed the rogue "DigiNotar root certificate from the list of trusted root certificates on Windows".
DigiNotar owner Vasco revealed that other certs were also generated after an "intrusion into its Certificate Authority (CA) infrastructure" on 19 July.
"At that time, an external security audit concluded that all fraudulently issued certificates were revoked," it added.
"Recently, it was discovered that at least one fraudulent certificate had not been revoked at the time. After being notified by Dutch government organisation Govcert, DigiNotar took immediate action and revoked the [Google.com] fraudulent certificate."
Chester Wisniewski, senior security advisor at Sophos Canada, said that the incident raises serious questions about the underlying certificate authority system of trust for web pages.
"Was DigiNotar compromised? Were the perpetrators able to acquire the certificate authority's certificate and sign their own bogus certificate? Or was DigiNotar tricked into signing the certificate for someone pretending to be Google?" he asked in a blog post.
"The answer to that question is nearly irrelevant as it is simply more evidence that the current certificate authority infrastructure that we have decided to 'trust' is totally untrustworthy.
"It doesn't matter how this happened. It has happened before, and unfortunately will happen again."
Cotton seedling freezes to death as Chang'e-4 shuts down for the Moon's 14-day lunar night
Fortnite easily out-earns PUBG, Assassin's Creed Odyssey and Red Dead Redemption 2 in 2018
Meteor showers as a service will be visible for about 100 kilometres in all directions
Saturn's rings only formed in the past 100 million years, suggests analysis of Cassini space probe data
New findings contradict conventional belief that Saturn's rings were formed along with the planet about 4.5 billion years ago