Nearly 300,000 Iranian IP addresses likely compromised

Security firm Fox-IT said over 99 percent of requests for using a rogue certificate came from Iran

Close to 300,000 unique IP addresses from Iran requested access to using a rogue certificate issued by Dutch digital certificate authority DigiNotar, according to an interim report by security firm, Fox-IT, released on Monday.

The rogue certificate, issued on July 10 by DigiNotar, was finally revoked on Aug. 29.

"Around 300.000 unique requesting IPs to have been identified," Fox-IT said in the report. On Aug. 4 the number of requests rose quickly until the certificate was revoked on Aug. 29. Of these IP (Internet Protocol) addresses, more than 99 percent originated from Iran.

The list of IP addresses will be handed over to Google who can inform users that their e-mail might have been intercepted during this period, Fox-IT said.

Not only the e-mail itself but also a login cookie could have been intercepted, it added. Using this cookie the hacker is able to log in directly to the Gmail mailbox of the user and other services from Google.

"The login cookie stays valid for a longer period," Fox-IT said. It would be wise for all users in Iran to at least logout and login, but even better change passwords, it added.

A sample of the IP addresses outside of Iran during the period were mainly Tor-exit nodes, proxies and other VPN (virtual private network) servers, and almost no direct subscribers, according to the report which analyzed OCSP (Online Certificate Status Protocol) request logs.

Current browsers perform an OCSP check as soon as the browser connects to an SSL (secure sockets layer) website protected through the https (hypertext transfer protocol secure) protocol.

Tor is a distributed anonymous network used by people to prevent being tracked by websites or to connect to instant messaging services and other services when these are blocked by their local Internet service providers.

A total of 531 digital certificates were issued for domains that included, the CIA, and Israel's Mossad,

The list of domains and the fact that 99 percent of the users are in Iran suggest that the objective of the hackers was to intercept private communications in Iran, Fox-IT said.

Google said on Aug. 29 that it received reports of "attempted SSL man-in-the-middle (MITM) attacks" against Google users, whereby someone tried to get between them and encrypted Google services. The people affected were primarily located in Iran.

The attacker used a fraudulent SSL certificate issued by DigiNotar which has since revoked it, Google said in a blog post.

Trend Micro, another security firm, said on Monday that domain was mostly loaded by Dutch and Iranian Internet users until Aug. 30. Domain name is used by Internet browsers to check the authenticity of SSL certificates that are issued by DigiNotar.

DigiNotar is a small Dutch certification authority with customers mainly in the Netherlands. "We, therefore, expect this domain name to be mostly requested by Dutch Internet users and perhaps a handful of users from other countries but certainly not by a lot of Iranians," Trend Micro's senior threat researcher, Feike Hacquebord, said in a blog post.

From analysis of Trend Micro Smart Protection Network data, the company found that a significant part of Internet users who loaded the SSL certificate verification URL (uniform resource locator) of DigiNotar were from Iran on Aug. 28, but by Aug. 30 most traffic from Iran disappeared, and on Sept. 2 about all of the Iranian traffic was gone.

It became public in the evening of Aug. 29 that a rogue * certificate was presented to a number of Internet users in Iran, according to the Fox-IT report. The false certificate had been issued by DigiNotar and was revoked that same evening.

The security firm was contacted the next day and asked to investigate the breach and report its findings before the end of the week.

Fox-IT's report indicates that the initial compromise at DigiNotar may have occurred on June 17. DigiNotar noticed the incident on June 19 in its daily audit procedure but doesn't appear to have done anything about it. The company could not be immediately reached for comment.

The first rogue certificate *, was issued on July 10. All the other rogue certificates were issued between July 10 and July 20.

The hack implies that the current network setup and procedures at DigiNotar are not sufficiently secure to prevent this kind of attack, Fox-IT said. The most critical servers, for example, contain malicious software that can normally be detected by anti-virus software. The separation of critical components was not functioning or was not in place, it added.

John Ribeiro covers outsourcing and general technology breaking news from India for The IDG News Service. Follow John on Twitter at @Johnribeiro. John's e-mail address is

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags DigiNotarGoogleFox-IT

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

John Ribeiro

IDG News Service
Show Comments

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Tom Pope

Dynabook Portégé X30L-G

Ultimately this laptop has achieved everything I would hope for in a laptop for work, while fitting that into a form factor and weight that is remarkable.

Tom Sellers


This smart laptop was enjoyable to use and great to work on – creating content was super simple.

Lolita Wang


It really doesn’t get more “gaming laptop” than this.

Jack Jeffries


As the Maserati or BMW of laptops, it would fit perfectly in the hands of a professional needing firepower under the hood, sophistication and class on the surface, and gaming prowess (sports mode if you will) in between.

Taylor Carr


The MSI PS63 is an amazing laptop and I would definitely consider buying one in the future.

Christopher Low

Brother RJ-4230B

This small mobile printer is exactly what I need for invoicing and other jobs such as sending fellow tradesman details or step-by-step instructions that I can easily print off from my phone or the Web.

Featured Content

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?