Google users in Iran have come under fire from attempted man-in-the-middle attacks designed to harvest personal details, after a fraudulent certificate was issued by Dutch root certificate authority DigiNotar, forcing Google, Mozilla and Microsoft to alert customers.
The existence of the rogue certificate was first flagged on Sunday when a user named alibo posted to a Google thread about the SSL certificate, which was originally issued by DigiNotar on 10 July.
Google was then forced to respond on Monday, by which time DigiNotar had revoked the certificate.
"Today we received reports of attempted SSL man-in-the-middle attacks against Google users, whereby someone tried to get between them and encrypted Google services," wrote Heather Adkins, Google information security manager.
"The people affected were primarily located in Iran. The attacker used a fraudulent SSL certificate issued by DigiNotar, a root certificate authority that should not issue certificates for Google (and has since revoked it)."
Mozilla moved to block the certificate in Firefox, while Microsoft issued a security advisory saying that it had removed the rogue "DigiNotar root certificate from the list of trusted root certificates on Windows".
DigiNotar owner Vasco revealed that other certs were also generated after an "intrusion into its Certificate Authority (CA) infrastructure" on 19 July.
"At that time, an external security audit concluded that all fraudulently issued certificates were revoked," it added.
"Recently, it was discovered that at least one fraudulent certificate had not been revoked at the time. After being notified by Dutch government organisation Govcert, DigiNotar took immediate action and revoked the [Google.com] fraudulent certificate."
Chester Wisniewski, senior security advisor at Sophos Canada, said that the incident raises serious questions about the underlying certificate authority system of trust for web pages.
"Was DigiNotar compromised? Were the perpetrators able to acquire the certificate authority's certificate and sign their own bogus certificate? Or was DigiNotar tricked into signing the certificate for someone pretending to be Google?" he asked in a blog post.
"The answer to that question is nearly irrelevant as it is simply more evidence that the current certificate authority infrastructure that we have decided to 'trust' is totally untrustworthy.
"It doesn't matter how this happened. It has happened before, and unfortunately will happen again."
Equinox's Dave Millett explores how phone, mobile and broadband could be affected by a no-deal Brexit
Dust storm on Titan only the third Solar System body where such storms have been observed
New technique could enable quantum computers to scale-up to millions of qubits
Systrom and Krieger taking time off "to explore our curiosity and creativity"