[TobiHeidi]

Just by having a forged SSL Certificate for ssl.google-analytics.com how can they supply their javscript ? The request still goes to the google servers and not to any evil-democracy-suppressors.gov.ir

So sure if they could reroute the request to their servers evil things could be done. But they can NOT. Or am i missing something ?

[noselasd]

Of course they can reroute traffic. All they have to do is

* Force every ISP/Telco within their borders to add fake google.com entries to their DNS servers.

and/or

* Force every ISP/Telco to transparently proxy all DNS traffic and provide fake replies for google.com queries

You can even make it easier:

Just hijack IP routing at the borders, such that IP traffic to 209.85.149.99 (and all other google networks) are not routed to the real google servers on the internet, but their own malicious filtering proxies.

Even without involving the ISPs/Telcos, they could transparently hijack and proxy you, for a whole country it might be a rather big task though, but here's what you do:

* Find all the cables carrying internet traffic in/out of your country.

* Bring a shovel, dig up the cables.

* break the cables.

* hook up the cables to your transparent proxy/filtering machinery.

Done properly, all everyone would know know was some lights flickering in the few seconds the cables were broken.

[nitrogen]

I imagine that more sophisticated networking equipment uses something like TDR (https://secure.wikimedia.org/wikipedia/en/wiki/Time-domain_r...) to detect when the cables have changed in length. Some PC BIOSes include a tool that will report the length of attached network cables, whether or not there is a system at the other end.

[lysium]

If they can reroute traffic, why can't the exchange the certificates in downloaded versions of Firefox?

[noselasd]

It'd be a far greater task intercepting all downloads for every browser out there and replace it with a malicious one. Besides, you'd not get to hijack people browsing with the IE that came installed on their PC, which likely outnumbers firefox users.

[cperciva]

I don't think the Iranian government has any difficulty forcing telecommunications companies to install filtering / interception boxes.

[TobiHeidi]

So then they can only fake the traffic in their country what they can do anyway with non SSL traffic. I sounds more like this could be a global attack.

[darklajid]

I'm not sure if I understand your comment here.

It's 'local', since you somehow need a way to intercept the traffic and there's a limit to the feasibility. Let's say this is 'local' for everyone in Iran.

But going for the certificate Colin suggests broadens the attack quite a lot: Instead of being able to server your own version of GMail/intercepting mail traffic you're now able to inject Javascript into what? 60% of the websites of the net? Basically everyone using Google Analytics now silently serves your code and the browser runs it without warnings.

So local/global is orthogonal to this impersonation 'improvement'. Even if you do this (somehow tricking a CA) yourself in the internet cafe of your choice, you would make the attack so much worse if you don't target a single service anymore and inject your code into as much content as possible.

[omh]

The aim is for monitoring traffic from within Iran.

The government almost certainly controls all internet traffic entering or leaving the country at the ISPs, and could intercept and/or redirect it as necessary.