There has been a lot of talk recently about how someone — whom many presume is the Iranian government — obtained a fake SSL certificate for *.google.com from DigiNotar.
This is the second such case this year. In March someone (again, presumed to be the Iranian Government) obtained fraudulent certificates from Comodo for Firefox extensions, Google, Gmail, Skype, Windows Live, and Yahoo.
 |
(Interestingly, while everybody is removing DigiNotar's certificate authority key from their trusted lists, Comodo — which has issued far more certificates — is still widely trusted. I wonder if they got a free ride because nobody wants to ship "the web browser which doesn't work with my bank".)
If you want to be really evil, however, *.google.com is the wrong SSL certificate to forge.
The right one is ssl.google-analytics.com.
By many reports, Google Analytics is used by almost half a million of the most prominent websites.
Google Analytics works like this: Each web page has a <script> tag which loads the Google Analytics Javascript. That code then gathers information and forwards it to Google. Privacy issues aside, it works well — as long as the javascript does what it should.
If it is tampered, it can do anything Javascript can normally do — with the permission of the web page it is running.
Read all the text on the page? No problem. Read the passwords you're typing in? Easy. Send the data to evil-democracy-suppressors.gov.ir? Easy with a couple of web bugs.
The request to fetch the Google Analytics Javascript will be performed via HTTPS if Google Analytics is installed correctly.
But if you have an SSL certificate for ssl.google-analytics.com you can supply your evil Javascript anyway.
Sooner or later it's going to happen. Obtaining forged SSL certificates is just too easy to hope otherwise.
What can we do about it?
Don't load the Google Analytics javascript when your site is accessed via HTTPS.
Instead, use this code will load the Google Analytics Javascript.
if("http:" == document.location.protocol) around the document.write or s.parentNode.insertBefore
I've been doing this for years on the website for my Tarsnap online backup service. This is not just out of concern of forged SSL certificates, but also because I don't want Google to be able to steal my users' passwords.
And if you trust Google and you're not worried about Iran's demonstrated ability to obtain forged SSL certificates, ask yourself this: Do you trust the Chinese Ministry of Information Industry?
Because your web browser probably does.
This article first appeared on Percival's blog. Republished with permission.
