8/27/11

Original Poster

alibo

Is This MITM Attack to Gmail's SSL ?

1 Recommended Answer

Hi,

Today, when I trid to login to my Gmail account I saw a certificate warning in Chrome .

I took a screenshot and I saved certificate to a file .

this is the certificate file with screenshot in a zip file:

http://www.mediafire.com/?rrklb17slctityb

and this is text of decoded fake certificate:

http://pastebin.com/ff7Yg663

when I used a vpn I didn't see any warning ! I think my ISP or my government did this attack (because I live in Iran and you may hear something about the story of Comodo hacker!)

Community content may not be verified or up-to-date. Learn more.

Recommended Answer

8/30/11

Google user

An update on attempted man in the middle attacks
http://googleonlinesecurity.blogspot.com/2011/08/update-on-attempted-man-in-middle.html

Monday, August 29, 2011 8:59 PM
Posted by Heather Adkins, Information Security Manager

Today we received reports of attempted SSL man-in-the-middle (MITM) attacks against Google users, whereby someone tried to get between them and encrypted Google services. The people affected were primarily located in Iran. The attacker used a fraudulent SSL certificate issued by DigiNotar, a root certificate authority that should not issue certificates for Google (and has since revoked it).

Google Chrome users were protected from this attack because Chrome was able to detect the fraudulent certificate.

To further protect the safety and privacy of our users, we plan to disable the DigiNotar certificate authority in Chrome while investigations continue. Mozilla also moved quickly to protect its users. This means that Chrome and Firefox users will receive alerts if they try to visit websites that use DigiNotar certificates.

To help deter unwanted surveillance, we recommend that users, especially those in Iran, keep their web browsers and operating systems up to date and pay attention to web browser security warnings.

Recommended by Original Poster

Was this answer helpful?

How can we improve it?

All Replies (26)

8/29/11

mf0x

probably your ISP is responsible,
they couldn't massively MITM/Sniff Gmail in Iran, yet.

can you please tell us what ISP is providing you ?

8/29/11

Original Poster

alibo

my ISP is ParsOnline:
http://www.parsonline.com/en

but my friend has another ISP and he has same problem.

I tried to trace route some domains like google.com ,youtube.com, yahoo.com, bing.com, etc.

all of them except google.com were normal and had same tracks when packets were in Iran yet, but packets of google.com have more tracks.

I see this fake certificate only 30 minutes or 1 hour per day maybe thay just test how sniff their users!

8/29/11

mf0x

yes maybe.
I am from Iran too, but i have DSL from different ISP, and i didnt notice SSL MITM yet.

can you place traceroute to mail.google.com here?

8/29/11

Original Poster

alibo

Unfortunately, tonight I don't see any differences in packet tracking by trace route google.com, but if I see a difference I place traceroute logs here

8/29/11

ioerror

Please run the following commands:

tracert mail.google.com

You may also want to try with ( http://en.wikipedia.org/wiki/PathPing ) PathPing:

pathping mail.google.com

If you're able to do so, I suggest using tcptraceroute ( http://michael.toren.net/code/tcptraceroute/ ) and running these also:

tcptraceroute mail.google.com 0

tcptraceroute mail.google.com 53

tcptraceroute mail.google.com 80

tcptraceroute mail.google.com 123

tcptraceroute mail.google.com 443

Also some UDP traceroutes on port 53:

traceroute -U -p 53 mail.google.com

20 MORE

9/27/11

m.eftekharian

ANOTHER PHISINIG FOR YAHOO
https://docs.google.com/spreadsheet/viewform?formkey=dGJDRGFqcDlJVEtyOXVmcmpIdE9jMWc6MQ
I've got a mail today, which redirect me to this form and asked for yahoo user password!!!!!

This question is locked and replying has been disabled. Still have questions? Ask the Help Community.

Badges

Some community members might have badges that indicate their identity or level of participation in a community.

Google Employee — Google product team members and community managers

Community Specialist — Google partners who help ensure the quality of community content

Platinum Product Expert — Community members with advanced product knowledge who help other Google users and Product Experts

Gold Product Expert — Community members with in-depth product knowledge who help other Google users by answering questions

Silver Product Expert — Community members with intermediate product knowledge who help other Google users by answering questions

Product Expert Alumni — Former Product Experts who are no longer members of the program

Community content may not be verified or up-to-date. Learn more.

Levels

Member levels indicate a user's level of participation in a forum. The greater the participation, the higher the level. Everyone starts at level 1 and can rise to level 10. These activities can increase your level in a forum:

Post an answer.
Having your answer selected as the best answer.
Having your post rated as helpful.
Vote up a post.
Correctly mark a topic or post as abuse.

Having a post marked and removed as abuse will slow a user's advance in levels.

View profile in forum?

To view this member's profile, you need to leave the current Help page.

Reply in forum?

This comment originated in the Google Product Forum. To reply, you need to leave the current Help page.

Is This MITM Attack to Gmail's SSL ?

Badges

Levels

View profile in forum?

Report abuse in forum?

Reply in forum?