Iran forged the wrong SSL certificate

*.google.com

There has been a lot of talk recently about how someone — whom everyone presumes is the Iranian government — obtained a fake SSL certificate forfrom DigiNotar; this is the second such case this year, as in March someone (again, presumed to be the Iranian government) obtained fraudulent certificates from Comodo for Firefox extensions, Google, Gmail, Skype, Windows Live, and Yahoo. (Interestingly, while everybody is removing DigiNotar's certificate authority key from their trusted lists, Comodo — which has issued far more certificates — is still widely trusted. I wonder if they got a free ride because nobody wants to ship "the web browser which doesn't work with my bank".)

If you want to be really evil, however, *.google.com is the wrong SSL certificate to forge. The right one? ssl.google-analytics.com .

By many reports, Google Analytics is used by almost half of the top million websites, and an even greater proportion of high profile sites. The way Google Analytics works, each web page has a <script> tag which loads the Google Analytics javascript; that code then gathers information and forwards it to Google. Privacy issues aside, it works well — as long as the javascript does what it should.

If the javascript has been tampered with, it could do anything javascript can normally do — and does so with the permissions of the web page it is running from. Read all the text on the page? No problem. Read the passwords you're typing in? Easy. Send it all to evil-democracy-suppressors.gov.ir ? Easy to do using one or more web bugs.

When accessing sites via HTTPS, if Google Analytics is correctly installed the request to fetch the Google Analytics javascript will also be performed via HTTPS (if not, good web browsers will display a warning message); but if you have an SSL certificate for ssl.google-analytics.com you can supply your evil javascript anyway.

Sooner or later it's going to happen; obtaining forged SSL certificates is just too easy to hope otherwise. What can we do about it? Don't load the Google Analytics javascript when your site is accessed via HTTPS. This is easy to do: Just throw a if("http:" == document.location.protocol) around the document.write or s.parentNode.insertBefore code which loads the Google Analytics javascript. On the website for my Tarsnap online backup service I've been doing this for years — not just out of concern for the possibility of forged SSL certificates, but also because I don't want Google to be able to steal my users' passwords either!

And if you trust Google and you're not worried about Iran's demonstrated ability to obtain forged SSL certificates, ask yourself this: Do you trust the Chinese Ministry of Information Industry? Because your web browser probably does.

Disqus