Google Warns Iranian Gmail Users After DigiNotar Breach

Google tells Iranian Gmail users to beware of suspicious prompts to click on links that could execute man-in-the-middle attacks. Comodohacker is using a fake certificate.

Google (NASDAQ:GOOG) Sept. 8 warned its Gmail users in Iran that their accounts may be compromised by the fake Secure Sockets Layer (SSL) security certificate issued by Dutch security firm DigiNotar.

The search engine provider, believed to have between 150 million and 200 million Gmail users worldwide, said that its own servers and infrastructure were not compromised in the security attack.

DigiNotar validates and registers SSL certificates, which ensure secure communications for Websites. A computer hacker going by the handle "Comodohacker" stole a Google authentication certificate from DigiNotar in July.

Comodohacker used the certificate to execute a so-called "man-in-the-middle attack," routing users to fake Web pages and enticing them to reveal their usernames and passwords. This would allow the hacker to access Iranian Gmail users' messages and monitor their conversations.

Iranian Gmail user Ali Borhani Aug. 28 published a screenshot of an SSL certificate warning that it appeared in Google's Chrome Web browser while accessing Gmail. Borhani's post included a link to Pastebin with the contents of the fake SSL certificate for Gmail.

DigiNotar issued the certificate July 10, and it was revoked by the Dutch certification authority on Aug. 29. Even so, Google is taking the unusual step of reaching out to Iranian users who may be affected and alerting them to how they might protect their privacy.

Those steps include: changing their password; verifying account recovery options, which include secondary email addresses, phone numbers and other information that helps users regain access to their account in the case of a loss password; checking Websites and applications permitted to access the account; checking Gmail settings for suspicious forwarding addresses; and paying attention to security warnings browsers provide.

Meanwhile Comodohacker is building serious credibility among the hacker set. He claims to have stolen certificates for 531 sites, including Facebook, Skype, Mozilla, Microsoft and Yahoo, as well as domains belonging to the CIA and Israel's Mossad, according to MSNBC.

DigiNotar was the biggest victim of this hack, as browser makers scrambled to shore up their defenses.

Google Sept. 3 marked DigiNotar untrusted in the next release of the Chrome OS. Microsoft removed DigiNotar from the default certificates store on Windows 7, Vista, Server 2008 and 2008 R2. Mozilla Sept. 6 released new versions of Firefox, Firefox Mobile and Thunderbird to revoke certificates signed by DigiNotar.