Iran listens in on dissidents with Dutch help

RNW, 30 August 2011

The Iranian government has been listening in on secure e-mail traffic with the help of a Dutch company. Iran appears to have obtained an officially approved web security certificate which enabled it to intercept messages sent on Google’s e-mail service Gmail.

This certificate meant that Iranian users were under the impression they had a secure link to the Gmail site, without third parties being able to monitor their messages. Their web browser responded to the certificate assuring them this was the case.

But the certificate in question was one that the Iranian authorities obtained from Dutch firm Diginotar. Details leaked on Monday indicate that this certificate was issued to point to Google domain names.

But if the company had followed proper procedure, it would have been immediately clear that there was something wrong, since Google’s domain names are already certified.

All this is reason enough for web browsers such as Internet Explorer and Firefox to remove Diginotar from their list of trusted certificates. From now on these browsers will warn visitors to websites with a Diginotar certificate that the connection may not be secure.

The company, which also administers certificates for the Dutch government, has yet to comment on the issue. The government websites will remain unaffected, since their certificates are not registered directly to Diginotar.

The GreenLeft party now plans to put questions to the Dutch Foreign Minister and the European Commission on the issue.