If you needed a confirmation of Google’s claims that the rogue SSL issued by DigiNotar for *.google.com domains was used mainly to mount man-in-the-middle attacks against users from Iran, Trend Micro researchers offered it.
Using the data collected by the company’s Smart Protection Network, they noticed that the validation.diginotar.nl domain – used by Internet browsers to verify the authenticity of SSL certificates issued by the Dutch CA and mostly loaded by Dutch users – has seen a spike of requests from Iranian users from more than 40 different networks of ISPs and universities on August 28, the day before the existence of the rogue certificate was discovered.
Five days later, the traffic from Iran has completely disappeared, and the domain was once again requested almost exclusively by Dutch Internet users.
A deeper analysis of the data painted an even grimmer picture. “Outgoing proxy nodes in the US of anti-censorship software made in California were sending web rating requests for validation.diginotar.nl to the cloud servers of Trend Micro,” shared the researchers.
“Very likely this means that Iranian citizens, who were using this anti censorship software, were victims of the same man-in-the-middle attack. Their anti-censorship software should have protected them, but in reality their encrypted communications were probably snooped on by a third party.”
It is still unknown who was behind these attacks, but judging by the targeted users and the array of other sites for which rogue certificates were issued during the breach, the theory that the Iranian Government initiated it seems to fit best.