8/27/11
Original Poster
aliboIs This MITM Attack to Gmail's SSL ?
1 Recommended AnswerHi,
Today, when I trid to login to my Gmail account I saw a certificate warning in Chrome .
I took a screenshot and I saved certificate to a file .
this is the certificate file with screenshot in a zip file:
and this is text of decoded fake certificate:
when I used a vpn I didn't see any warning ! I think my ISP or my government did this attack (because I live in Iran and you may hear something about the story of Comodo hacker!)
Community content may not be verified or up-to-date. Learn more.
Recommended Answer

8/30/11
Google userAn update on attempted man in the middle attacks
http://googleonlinesecurity.blogspot.com/2011/08/update-on-attempted-man-in-middle.html
Monday, August 29, 2011 8:59 PM
Posted by Heather Adkins, Information Security Manager
Today we received reports of attempted SSL man-in-the-middle (MITM) attacks against Google users, whereby someone tried to get between them and encrypted Google services. The people affected were primarily located in Iran. The attacker used a fraudulent SSL certificate issued by DigiNotar, a root certificate authority that should not issue certificates for Google (and has since revoked it).
Google Chrome users were protected from this attack because Chrome was able to detect the fraudulent certificate.
To further protect the safety and privacy of our users, we plan to disable the DigiNotar certificate authority in Chrome while investigations continue. Mozilla also moved quickly to protect its users. This means that Chrome and Firefox users will receive alerts if they try to visit websites that use DigiNotar certificates.
To help deter unwanted surveillance, we recommend that users, especially those in Iran, keep their web browsers and operating systems up to date and pay attention to web browser security warnings.
http://googleonlinesecurity.blogspot.com/2011/08/update-on-attempted-man-in-middle.html
Monday, August 29, 2011 8:59 PM
Posted by Heather Adkins, Information Security Manager
Today we received reports of attempted SSL man-in-the-middle (MITM) attacks against Google users, whereby someone tried to get between them and encrypted Google services. The people affected were primarily located in Iran. The attacker used a fraudulent SSL certificate issued by DigiNotar, a root certificate authority that should not issue certificates for Google (and has since revoked it).
Google Chrome users were protected from this attack because Chrome was able to detect the fraudulent certificate.
To further protect the safety and privacy of our users, we plan to disable the DigiNotar certificate authority in Chrome while investigations continue. Mozilla also moved quickly to protect its users. This means that Chrome and Firefox users will receive alerts if they try to visit websites that use DigiNotar certificates.
To help deter unwanted surveillance, we recommend that users, especially those in Iran, keep their web browsers and operating systems up to date and pay attention to web browser security warnings.
Recommended by Original Poster
Was this answer helpful?
How can we improve it?
All Replies (26)

8/29/11
mf0xprobably your ISP is responsible,
they couldn't massively MITM/Sniff Gmail in Iran, yet.
can you please tell us what ISP is providing you ?
they couldn't massively MITM/Sniff Gmail in Iran, yet.
can you please tell us what ISP is providing you ?
8/29/11
Original Poster
alibomy ISP is ParsOnline:
http://www.parsonline.com/en
I see this fake certificate only 30 minutes or 1 hour per day maybe thay just test how sniff their users!
http://www.parsonline.com/en
but my friend has another ISP and he has same problem.
I tried to trace route some domains like google.com ,youtube.com, yahoo.com, bing.com, etc.
all of them except google.com were normal and had same tracks when packets were in Iran yet, but packets of google.com have more tracks.

8/29/11
mf0xyes maybe.
I am from Iran too, but i have DSL from different ISP, and i didnt notice SSL MITM yet.
can you place traceroute to mail.google.com here?
I am from Iran too, but i have DSL from different ISP, and i didnt notice SSL MITM yet.
can you place traceroute to mail.google.com here?
8/29/11
Original Poster
aliboUnfortunately, tonight I don't see any differences in packet tracking by trace route google.com, but if I see a difference I place traceroute logs here

8/29/11
ioerrorPlease run the following commands:
If you're able to do so, I suggest using tcptraceroute ( http://michael.toren.net/code/tcptraceroute/ ) and running these also:
tracert mail.google.com
You may also want to try with ( http://en.wikipedia.org/wiki/PathPing ) PathPing:
pathping mail.google.com
If you're able to do so, I suggest using tcptraceroute ( http://michael.toren.net/code/tcptraceroute/ ) and running these also:
tcptraceroute mail.google.com 0
tcptraceroute mail.google.com 53
tcptraceroute mail.google.com 80
tcptraceroute mail.google.com 123
tcptraceroute mail.google.com 443
Also some UDP traceroutes on port 53:
traceroute -U -p 53 mail.google.com

9/27/11
m.eftekharianANOTHER PHISINIG FOR YAHOO
https://docs.google.com/spreadsheet/viewform?formkey=dGJDRGFqcDlJVEtyOXVmcmpIdE9jMWc6MQ
I've got a mail today, which redirect me to this form and asked for yahoo user password!!!!!
https://docs.google.com/spreadsheet/viewform?formkey=dGJDRGFqcDlJVEtyOXVmcmpIdE9jMWc6MQ
I've got a mail today, which redirect me to this form and asked for yahoo user password!!!!!
This question is locked and replying has been disabled. Still have questions? Ask the Help Community.
Badges
Some community members might have badges that indicate their identity or level of participation in a community.
Community content may not be verified or up-to-date. Learn more.
Levels
Member levels indicate a user's level of participation in a forum. The greater the participation, the higher the level. Everyone starts at level 1 and can rise to level 10. These activities can increase your level in a forum:
- Post an answer.
- Having your answer selected as the best answer.
- Having your post rated as helpful.
- Vote up a post.
- Correctly mark a topic or post as abuse.
Having a post marked and removed as abuse will slow a user's advance in levels.
View profile in forum?
To view this member's profile, you need to leave the current Help page.
Report abuse in forum?
This comment originated in the Google Product Forum. To report abuse, you need to leave the current Help page.
Reply in forum?
This comment originated in the Google Product Forum. To reply, you need to leave the current Help page.