It seems the recent web user hijacking skulduggery in Iran is just the tip of the iceberg.
http://www.eff.org/deeplinks/2011/09/post-mortem-iranian-diginotar-attackMore facts have recently come to light about the compromise of the DigiNotar Certificate Authority, which appears to have enabled Iranian hackers to launch successful man-in-the-middle attacks against hundreds of thousands of Internet users inside and outside of Iran.
Existing web browsers, email clients and operating systems depend on Certificate Authorities (CAs), and the SSL certificates they produce, in order to know that you are really visiting the domain that you intended to visit. If these certificates are false, someone in control of a network can tamper with and spy on connections. A hacker who gets a certificate for mail.google.com, for instance, will be able to steal people's Gmail passwords and hijack their accounts. A hacker who gets a certificate for addons.mozilla.org or *.microsoft.com might be able to install malicious software on victims' computers. In fact, these kinds of attacks against Gmail happened on a massive scale during July and August of this year.
Certificate-based attacks are a concern all over the world, including in the U.S., since governments everywhere are eagerly adopting spying technology to eavesdrop on the public. Vendors of this technology seem to suggest the attacks can be done routinely. Similar attacks may have happened before — this attack is just the first whose details we know about. EFF's SSL Observatory has helped to map out the problem by showing the ways in which CAs are related to one another. Soon, we will launch the Decentralized SSL Observatory, which will offer a real-time method of detecting and protecting against these attacks. We will also have more to say about possible ways of cross-checking and fixing the CA infrastructure in a more sustainable way
Whilst its excellent news that such activity is being monitored its not such good news in reality as unfortunately no one yet has an answer to this problem, foreign or domestic intelligence agencies are free to undertake this kind of man in the middle attack with often no one knowing its occurred and with little to no oversight of who has stolen what data or worse valuable passwords, lets hope this situation is cleaned up before its abused further to the detriment of us all.
