TechSpot means tech analysis and advice you can trust. Read our ethics statement.
It has been confirmed that DigiNotar, a SSL certificate authority from the Netherlands issued an Internet security certificate to unknown attackers on July 10th. For over 2 months this certificate would have allowed them to setup fake copies of Google websites that appeared genuine to the majority of users, and collect login information for all of the company's services, including Gmail.
It's still unknown how attackers managed to get the fake google.com security certificate issued. First reports of the scam came from an Iranian web user, who posted the information in a Google help forum, sparking speculation that the Iranian government had been involved in the attack and subsequent release of the security certificate.
Google Chrome's in-built security measures did their part in questioning the authenticity of the certificate, but it is very likely that many others were unaware of the problem. This follows a similar incident earlier in the year when Comodo found itself the victim on a hack, with fake certificates for several high profile companies released under its name. Evidence gathered during the investigation of that attack suggested the attack came from within Iran.
The Electronic Frontier Foundation (EFF) commented that it highlighted fundamental issues with SSL and the authorities such as DigiNotar, who issue certificates. "The certificate authority system was created decades ago in an era when the biggest on-line security concern was thought to be protecting users from having their credit card numbers intercepted by petty criminals," the EFF said. "Today internet users rely on this system to protect their privacy against nation-states. We doubt it can bear this burden."
Google in the meantime has taken steps to block all sites issued with DigiNotar security certificates pending a full investigation. Mozilla has also posted an easy guide to remove the DigiNotar fraudulent SSL certificate from your browser.