Google users in Iran have come under fire from attempted man-in-the-middle attacks designed to harvest personal details, after a fraudulent certificate was issued by Dutch root certificate authority DigiNotar, forcing Google, Mozilla and Microsoft to alert customers.
The existence of the rogue certificate was first flagged on Sunday when a user named alibo posted to a Google thread about the SSL certificate, which was originally issued by DigiNotar on 10 July.
Google was then forced to respond on Monday, by which time DigiNotar had revoked the certificate.
"Today we received reports of attempted SSL man-in-the-middle attacks against Google users, whereby someone tried to get between them and encrypted Google services," wrote Heather Adkins, Google information security manager.
"The people affected were primarily located in Iran. The attacker used a fraudulent SSL certificate issued by DigiNotar, a root certificate authority that should not issue certificates for Google (and has since revoked it)."
Mozilla moved to block the certificate in Firefox, while Microsoft issued a security advisory saying that it had removed the rogue "DigiNotar root certificate from the list of trusted root certificates on Windows".
DigiNotar owner Vasco revealed that other certs were also generated after an "intrusion into its Certificate Authority (CA) infrastructure" on 19 July.
"At that time, an external security audit concluded that all fraudulently issued certificates were revoked," it added.
"Recently, it was discovered that at least one fraudulent certificate had not been revoked at the time. After being notified by Dutch government organisation Govcert, DigiNotar took immediate action and revoked the [Google.com] fraudulent certificate."
Chester Wisniewski, senior security advisor at Sophos Canada, said that the incident raises serious questions about the underlying certificate authority system of trust for web pages.
"Was DigiNotar compromised? Were the perpetrators able to acquire the certificate authority's certificate and sign their own bogus certificate? Or was DigiNotar tricked into signing the certificate for someone pretending to be Google?" he asked in a blog post.
"The answer to that question is nearly irrelevant as it is simply more evidence that the current certificate authority infrastructure that we have decided to 'trust' is totally untrustworthy.
"It doesn't matter how this happened. It has happened before, and unfortunately will happen again."
Nintendo sales double and profits balloon by 500 per cent as Shuntaro Furukawa is appointed president
Switch console sold more than 15 million units, while SNES Classic sold more than five million
High-precision measurements of nearly 1.7 billion stars made by Gaia space observatory
Water trapped in asteroids could be the source of the Earth's seas
Latest Skip Ahead build focuses on mobile and a number of small fixes