SSL security issue caused by the Iranian government: in depth look!

by xenatisch

Before getting to the point, one needs to know what SSL is and what does it do at all?

Secured Sockets Layer

Secure Sockets Layer or SSL is a cryptographic protocol that provides communications security over an internetnetwork, including the internet. SSL encrypts the segments of network connections above the Transport Layer, using symmetric cryptography for privacy and a keyed message authentication code for message reliability.

Basically, SSL works as follows:

Open System Interconnection

This procedure mainly occurs in the 6th layer of OSI (Open System Interconnection) system, also known as Presentation layer. OSI model consists of 7 layers, each of which works independently. These layers tend to put a header on the data packets (or frames, segments, etc) they receive. In which case, one the header is placed over the data, it can only be removed by the same layer, either on the same computer (known as the sender), or in another one (supposedly the receiver).

Knowing this, the classification of OSI layers are as follows:

Okay. Having said that, you also need to consider the fact that the user interactive programmes on a computer are placed within the Application layer, that is, layer number 7. In which case, they have no control over the layer below them, unless otherwise it requested by the the layer below them, itself.
SSL is able to offer such very high level encryptions which might take tens of years for a regular computer to break.
However, what the Iranian government seems to be doing can easily become ice clear to someone experienced in the area of IT. Check this out:
A major issuer of secure socket layer (SSL) certificates acknowledged on Wednesday that it had issued 9 fraudulent SSL certificates to seven Web domains, including those for, and following a security compromise at an affiliate firm. The attack originated from an IP address in Iran, according to a statement from Comodo Inc.
Although SSL is very secure, it can be controlled through its user’s machine (computer, mobile, printer or any network interface). There are several SSL certificate issuers in the world that are accredited by the SSL Inc., out of which the first place belongs to VeriSign.
Many of the website you use everyday take advantage of this security system. In fact, whenever you see a sign of HTTPS in the beginning of a URL  in your browser navigator, you may be sure that you are using an SSL certificate. When you sign into your Yahoo!® account, when you use your Gmail®, when you make an online payment using your credit or debit cards, when you enter your private information into a website, when you enter your passwords, when you look up your bank account using internet banking and so many other secured environment that you may hit everyday over the internet.
Trusted and Certified
Once into a SSL Secured transmission, the transmission medium (could your browser, a network dependant software, a SMTP dependant hardware like SMTP enabled printers, and so on and so forth) will check into the verified SSL certificates. If it was valid, you won’t even notice that you have been redirected to a secured area. The only thing that happens is that your URL changes to HTTPS, the certificate will be shown valid as a very small icon on a corner of your browser (the place varies depending on the  browser), and the speed reduces slightly, since all the data, sent and received, gets encrypted.
A valid certificate, therefore, would typically looks like this:
Click to enlarge.
and the most important part of it is:
Browser Reactions
Where number 1 represents the website that the certificate has been issued for. And number 2 represents the date on which the certificate expires (or required to be renewed) and whether or not the certificate is still valid an verified by the issuer or not.
In case of an invalid certificate, different browsers behave differently. What I’m going to do is that I’m going to set up an untrusted unverified certificate on my own website and show you how the browsers would therefore act. I’m also going to show you examples of 4 different browsers: Safari, Firefox, Chrome, Opera and IE.
Safari 5.0.4 :
Firefox 4.0 :
Chrome 10.0.648.151 :
Opera 11.01 :
Internet Explorer 8:
Why are the untrusted certificates used at all?
There could be various reasons for that. Some networks may be desired to remain offline, and therefore they cannot get verified SSL certificates. The number of users may not be as many, so it wouldn’t be financially reasonable to buy it. And many other reasons. But they remain untrusted, unless we are absolutely sure about the content, and the certificate we are about to use.  Like our own websites, or a university internal network and so forth.
How do we know?
However, when we get to the internationally recognised service providers, such as Yahoo!®, Google®, Skype®, our banks, Facebook®, etceteras, an invalid certificate will, and must ring a bell, actually, an alarm!
What shall we do?
Conclusion would be, if you are asked to trust a certificate on a well known service provider website, never do so, there is something wrong. Try to report it to the administrator for further investigations.
What can they do with an untrusted, invalid certificate at all?
Having said all the above, now we are getting to the climax! Your data gets encrypted using SSL in the presentation layer of your network, it then takes its header, which also consists the key, and is then released to the layers below it to be transmitted through the network, the internetwork, the internet, and the destination.
Now, let’s see how does it get to the destination, and what does it go through in this journey?
I tried to keep the diagram very simple. Now if you look inside the cloud, you see 3 kinds of links. Some are in black, which is normal. Some are in blue, which is what the Iranian telecom is now doing, and some are in red, which is how it is supposed to be. So, considering the current situation, all the data goes to a super computer in the server, before going to where it is supposed to go. But didn’t we say that no other network interface can open SSL, unless the actual destination? Well, that is where the hack has taken place. When you accept an invalid certificate, you are trusting a computer that may not, and in this case is not, the computer (the server, or the interface) which you want to communicate with. In which case, you are telling you SSL, okay, well, this is what I wanna communicate with! So that computer receives all your data, saves it, and the forwards it to main server that you wanted to communicate with, such as Google, Yahoo or anything else. So, you data once gets decrypted inside your internet service provider for monitoring purposes and censorship, then gets encrypted, gets sent to the main server, and vice-versa. Therefore, there is basically no way of preventing this, unless you reach for the true and valid certificate. No antivirus or firewall can be of assistance here, if you, as the owner and administrator of your computer, allow this and trust the certificate whereas you command has more priority to the computer than the Antivirus, or the FireWall.
In conclusion:
  • Do not accepted certificates unless you are absolutely sure they are valid.
  • Use encrypted proxy servers in order to open your personal documentations over the internet (Emails, Bank account, etc).
  • Avoid using VPNs unless they have valid SSL certificates (which is very rare), make sure your VPN setting is not set on trust all SSL certificates.
  • Use redirecting IP/Port systems, if available.
  • Make sure your data is transmitted on a valid certificate at all times.
  • Keep your certificate database up to date by upgrading your operating system, your browsers, and other medium software, such a Flickr uploader, iPhoto, ACDSee, and so on.

If there is any question that I can help with, do not hesitate to leave comments here, or email me. I would be delighted to be of assistance.