There has been a lot of talk recently about how someone — whom many presume is the Iranian government — obtained a fake SSL certificate for *.google.com from DigiNotar.
This is the second such case this year. In March someone (again, presumed to be the Iranian Government) obtained fraudulent certificates from Comodo for Firefox extensions, Google, Gmail, Skype, Windows Live, and Yahoo.
(Interestingly, while everybody is removing DigiNotar's certificate authority key from their trusted lists, Comodo — which has issued far more certificates — is still widely trusted. I wonder if they got a free ride because nobody wants to ship "the web browser which doesn't work with my bank".)
If you want to be really evil, however, *.google.com is the wrong SSL certificate to forge.
The right one is ssl.google-analytics.com.
By many reports, Google Analytics is used by almost half a million of the most prominent websites.
Read all the text on the page? No problem. Read the passwords you're typing in? Easy. Send the data to evil-democracy-suppressors.gov.ir? Easy with a couple of web bugs.
Sooner or later it's going to happen. Obtaining forged SSL certificates is just too easy to hope otherwise.
What can we do about it?
if("http:" == document.location.protocol) around the document.write or s.parentNode.insertBefore
I've been doing this for years on the website for my Tarsnap online backup service. This is not just out of concern of forged SSL certificates, but also because I don't want Google to be able to steal my users' passwords.
And if you trust Google and you're not worried about Iran's demonstrated ability to obtain forged SSL certificates, ask yourself this: Do you trust the Chinese Ministry of Information Industry?
Because your web browser probably does.
This article first appeared on Percival's blog. Republished with permission.