Archive

Tag Archives: Iran

) Anti-war activists have held a day of action in key British cities to warn the authorities against a potential attack on Iran. A similar rally is expected in the capital of Israel, which is leading calls to strike over Tehran’s nuclear programme. Campaigners fear the mounting pressure could escalate into all-out war, the effects of which would reverberate globally. RT talks to British MP Jeremy Corbyn, who’s also a member of the ‘Stop the War Coalition’, which organised the UK protests.

More on the story http://on.rt.com/3k50jf

Advertisements

With harsh US rhetoric and tensions around Iran’s nuclear program snowballing by the hour, American polls nonetheless show that most Americans think a war with Tehran would be a grave mistake. But do the leaders care?

­Despite Iran’s recent consent to return to negotiations over its atomic work, the Obama administration says war with Tehran is still on the table. Even harsher statements come from some of Washington’s hawks like Newt Gingrich, who spoke of breaking the Iranian regime within a year.

(eff.org) What’s worse than finding a worm in your apple? Finding half a worm.

What’s worse than discovering that someone has launched a man-in-the-middle attack against Iranian Google users, silently intercepting everything from email to search results and possibly putting Iranian activists in danger? Discovering that this attack has been active for two months.

People all over the world use Google services for sensitive or private communications every day. Google enables encrypted connections to these services in order to protect users from spying by those who control the network, such as ISPs and governments. Today, the security of this encryption relies entirely on certificates issued by certificate authorities (CAs), which continue to prove vulnerable to attack. When an attacker obtains a fraudulent certificate, he can use it to eavesdrop on the traffic between a user and a website even while the user believes that the connection is secure.

The certificate authority system was created decades ago in an era when the biggest on-line security concern was thought to be protecting users from having their credit card numbers intercepted by petty criminals. Today Internet users rely on this system to protect their privacy against nation-states. We doubt it can bear this burden.

This latest attack was reportedly caught by a user running the Google Chrome browser in Iran who noticed a warning produced by the “public key pinning” feature which Google introduced in May of this year. Basically, Google hard-coded the fingerprints for its own sites’ encryption keys into Chrome, and told the browser to simply ignore contrary information from certificate authorities. That meant that even if an attacker got a hold of a fake certificate for a Google site—as this attacker did—newer versions of the Chrome browser would not be fooled.

Certificate authorities have been caught issuing fraudulent certificates in at least half a dozen high-profile cases in the past two years and EFF has voiced concerns that the problem may be even more widespread. But this is the first time that a fake certificate is known to have been successfully used in the wild. Even worse, the certificate in this attack was issued on July 10th 2011, almost two months ago, and may well have been used to spy on an unknown number of Internet users in Iran from the moment of its issuance until it was revoked earlier today. To be effective, fraudulent certificates do not need to have been issued by the same authority that issued the legitimate certificates. For example, the certificate in question here was issued by a Dutch certificate authority with which Google had no business relationship at all; that didn’t make it any less acceptable to web browsers.

As the problems with the certificate authority system become clear, lots of people are working on ways to detect and mitigate these attacks. Chrome’s pinning feature is available not only to Google web sites but to any webmaster; if you run an HTTPS site, you can contact the Chrome developers and get your site’s keys hard-coded. Other browser vendors may implement a similar feature soon. The same result could also be achieved by giving web sites themselves a way to tell browsers what certificates to anticipate—and efforts to do this are now underway, building on top of DNSSEC or HSTS. Then browsers could simply not believe conflicting information, or at least provide a meaningful way to report it or warn the user about the situation.

EFF’s own SSL Observatory aims to find attacks of this kind in the wild. Soon, our ability to do this will be expanded significantly as we deploy distributed certificate reporting features in HTTPS Everywhere and other browser add-on software; this will let users choose to tell us about the certificates they encounter for the sites they visit, letting us or other researchers or webmasters notice when people on a particular network or in a particular country are presented with an unusual certificate for a site. A new browser add-on called Convergence also aims to replace the certificate authority system entirely with a distributed reporting mechanism inspired by Perspectives. There are also further-reaching proposals to create new infrastructure for securely distributing cryptographic keys, and EFF is actively involved in research in this area.

The good news is that the computer security community is now taking this threat very seriously. Unfortunately, the bad news is spectacularly bad: users in Iran (or on any network where an eavesdropper had the key to this certificate) may have been vulnerable for two months. What’s more, there are hundreds of certificate authorities in dozens of jurisdictions, and several have been tricked into issuing false certificates. So there may well be other certificates like this out there that we don’t know about. That means almost all Internet users are still vulnerable to this sort of attack.

Source: https://www.eff.org/deeplinks/2011/08/iranian-man-middle-attack-against-google

(hrw.org) Iranian security forces should stop using teargas and batons to disperse peaceful crowds gathered in support of the popular movements in Egypt and Tunisia, Human Rights Watch said today. The authorities should also release opposition leaders and activists arbitrarily detained, and permit the free flow of communications channels, Human Rights Watch said.

On February 14, 2011, demonstrations took place throughout Iran after authorities conducted a wave of arrests against opposition activists, placed the opposition leaders Mir Hossein Mousavi and Mehdi Karroubi under house arrest, and clamped down telephone and satellite communications and the internet. Initial reports from Tehran and other cities indicate that police, anti-riot police, and plainclothes officers attacked demonstrators, including physical assaults and the use of teargas and batons, to break up crowds, silence people chanting anti-government slogans, and prevent protesters from taking photos. Numerous demonstrators were injured, witnesses told Human Rights Watch. There are also reports of numerous arrests. Read More