In August, Google introduced a new, if rather obscure, security feature to its Chrome web browser, designed to be triggered only under extreme circumstances.
If you were talking to Google's servers using the web's secure "https" protocol, your browser makes a number of checks to ensure that you are really talking to Google's servers. Like an overly obsessive bouncer, the new code double-checks the identity of any supposed Google site against a Chrome-only list of valid Google identities hardwired into the browser.
The feature was experimental, so Google only included checks
for its own websites. This week, a handful of Chrome users visiting Gmail and
other Google sites triggered the warning, and contacted Google. According to Google's later reporting, the affected users were
"primarily located" in
What does this mean? It means that somebody in
This was not a trivial undertaking. The Iranian users'
reports reveal what must have happened. The snoopers' associates had either broken
into or defrauded the Dutch Internet security firm DigiNotar, and obtained from
them a fake digital identity document, an https certificate, in the name of
Google. They then redirected Google traffic within
The combination of a targeted attack and the commandeering of at least two Internet service providers suggests a highly organized attempt to spy on a large number of Iranian Net users' secure communications. The obvious, but unproven, candidate for this seems to be some element of the Iranian security forces.
If state security agents are working in cooperation with
criminals in repressive countries like
It is also important, however, to note what we cannot yet conclude. Firstly, we do not know the extent of the Iranian surveillance. Google only spotted the attack on its own services because the company had added specific extra checks in its browser for its own websites. Many other websites' communications may have been compromised with no chance of detection.
The company most responsible for allowing this attack has
not helped. Despite its clear involvement, DigiNotar has remained largely
silent about the attack and has failed to notify other sites that may have been
compromised. For instance, DigiNotar only informed the Tor Project, a software
regularly used by at-risk journalists to communicate anonymously on the
Internet, after the group directly requested confirmation that it had
been targeted. (If you are in
While all eyes are on
The current dependence of secure Internet traffic on a few, potentially insecure commercial companies is a profound flaw, but fixes are being worked on. One useful browser add-on that vulnerable groups should consider using is Convergence, which conducts a similar double-check to Chrome but has the potential to compare with multiple sources. The tool, still in its early stages, would have spotted the Iranian attack.
Experts can build tools to detect spying on https traffic partly because such encrypted, authenticated communications are inherently harder to spy upon. By contrast, every state, and many criminal and commercial groups, can trivially spy on unencrypted data with no chance of being spotted. Almost all of the communications of journalists and news media, including messages between sources and reporters, continue to pass over the Internet with no protection from snooping at all.
Detectable surveillance will always represent the tip of the iceberg. Journalists who expect attacks from criminals or even their own governments need to take proactive steps, including using https and tools like Tor, and protect themselves, even if they know those protections are now under concerted attack.