Catching the Internet’s spies in Iran and elsewhere

In August, Google introduced a new, if rather obscure, security feature to its Chrome web browser, designed to be triggered only under extreme circumstances.

If you were talking to Google’s servers using the web’s secure “https” protocol, your browser makes a number of checks to ensure that you are really talking to Google’s servers. Like an overly obsessive bouncer, the new code double-checks the identity of any supposed Google site against a Chrome-only list of valid Google identities hardwired into the browser.

The feature was experimental, so Google only included checks for its own websites. This week, a handful of Chrome users visiting Gmail and other Google sites triggered the warning, and contacted Google. According to Google’s later reporting, the affected users were “primarily located” in Iran.

What does this mean? It means that somebody in Iran had gone to great lengths to intercept supposedly secure Internet traffic, including Gmail messages.

This was not a trivial undertaking. The Iranian users’ reports reveal what must have happened. The snoopers’ associates had either broken into or defrauded the Dutch Internet security firm DigiNotar, and obtained from them a fake digital identity document, an https certificate, in the name of Google. They then redirected Google traffic within Iran, and used the certificate to masquerade as Google. With those capabilities, the party would be able to intercept and collect any private communications between Iranians and Google, including supposedly highly secure Gmail messages.

The combination of a targeted attack and the commandeering of at least two Internet service providers suggests a highly organized attempt to spy on a large number of Iranian Net users’ secure communications. The obvious, but unproven, candidate for this seems to be some element of the Iranian security forces.

If state security agents are working in cooperation with criminals in repressive countries like Iran, it will be unsurprising if one of the groups that governments and organized crime most wish to silence is targeted: journalists.

It is also important, however, to note what we cannot yet conclude. Firstly, we do not know the extent of the Iranian surveillance. Google only spotted the attack on its own services because the company had added specific extra checks in its browser for its own websites. Many other websites’ communications may have been compromised with no chance of detection.

The company most responsible for allowing this attack has not helped. Despite its clear involvement, DigiNotar has remained largely silent about the attack and has failed to notify other sites that may have been compromised. For instance, DigiNotar only informed the Tor Project, a software regularly used by at-risk journalists to communicate anonymously on the Internet, after the group directly requested confirmation that it had been targeted. (If you are in Iran and downloaded the Tor software recently, you should check the signatures of the files you downloaded.) Press reports have suggested that more than 200 sites may have been affected.

While all eyes are on Iran, the country remains one of the few nations that would have a need to defraud Western companies in order to conduct such surveillance. Many governments, including countries with a poor reputation for defending freedom of expression or privacy, are able to generate any number of fake digital certificates on their own authority.

The current dependence of secure Internet traffic on a few, potentially insecure commercial companies is a profound flaw, but fixes are being worked on. One useful browser add-on that vulnerable groups should consider using is Convergence, which conducts a similar double-check to Chrome but has the potential to compare with multiple sources. The tool, still in its early stages, would have spotted the Iranian attack.

Experts can build tools to detect spying on https traffic partly because such encrypted, authenticated communications are inherently harder to spy upon. By contrast, every state, and many criminal and commercial groups, can trivially spy on unencrypted data with no chance of being spotted. Almost all of the communications of journalists and news media, including messages between sources and reporters, continue to pass over the Internet with no protection from snooping at all.

Detectable surveillance will always represent the tip of the iceberg. Journalists who expect attacks from criminals or even their own governments need to take proactive steps, including using https and tools like Tor, and protect themselves, even if they know those protections are now under concerted attack.