Recently, an Iranian user uncovered a man-in-the-middle attack occurring with some of Google’s own security certificates for domains such as *.google.com. As it appears, some Iranian ISP may be involved in silently intercepting communications by Iranian citizens over the Internet by supplying a broken security certificate to them for securely accessing Google’s properties.

The worst part: the compromised certificate has an issue date of July 10^th, 2011. Meaning this has been going on for almost two months.

The Electronic Frontier Foundation has published an extensive examination of the attack and the weaknesses in the certificate authority network that protects the Internet.

The encryption keys were apparently forged from DigiNotar, a legitimate certification authority (CA) based in the Netherlands and owned by VASCO Data Security. Such certificates are issued by CAs in order to encrypt and secure connections over HTTP using secure sockets layer and the Transport Layer Security protocols. A person (or entity) who happens to know the cryptographic keys can secretly intercept communications, decrypt them, read the contents (or even change the contents) and then encrypt them again without either party being the wiser.

The certificate authority chain has been in place for a long time, but it evolved from a need to protect sensitive information in transit of the order of credit card information. In fact, for the most part, it’s currently used as a marketing tool to tell people that they can safely make online financial transactions—it’s a poor substitute for heavily encrypted communication. However, as it’s become ubiquitous, the presence of that little padlock when connecting to a site gives some people a sense of security about their online dealings that they should always be wary of.

Monday, Google informed the world that they would immediately start blocking DigiNotar certificates in an attempt to curb any violations taking place. They also stated that DigiNotar is not authorized to release certificates for Google’s domains in the first place (and has since revoked the authority of that certificate.) They also made certain to point out that it was Google’s Chrome browser with its increased security that brought the problem to the attention to users in the first place.

A Google spokesman gave this statement to CNET: “A Chrome security feature warned the user of the invalid certificate and blocked them from visiting the attacker’s site. We’re pleased that the security measures in Chrome protected the user and brought this attack to the public’s attention. While we investigate, we plan to block any sites whose certificates were signed by DigiNotar.”

To further protect users from this sort of problem in the future, Google has laid out plans to block DigiNotar in the future while investigations continue. Mozilla quickly removed them from their own Firefox browser. Microsoft also took prompt action.

What does this mean for the world?

Extremely popular information and communication websites will always be targets of malicious individuals and entities from criminals to governments.

Educating ourselves in what sort of security we live with and how to use it is paramount to staying safe on the Internet. In the case if Iran, it goes a bit deeper than simply worrying about getting fraudulent transactions on their credit cars—they live in a country that frowns on dissidents and darkens cyberspace for their citizens with censorship. As a result, those who trusted Google to be a safe haven for communication because of that padlock have been put at risk of exposure. All because someone between them and Google managed to sneak into the trust chain of the certificate authorities providing them encrypted connections.

The answer: Never trust something that’s not your own padlock.

The benefit of having SSL and TDS connections via HTTPS to Google, Twitter, Facebook, and the like means that we can worry less about the kids around the block watching us talk to our friends online. Trusting the CA chain designed to help protect our credit card transactions online isn’t the same escalation of risk as speaking our minds and protecting our anonymity that might put our lives on the line. As a result: always have a second line of defense when your life and limb might be at risk.

Software such as GNU Privacy Guard can be integrated with a lot of e-mail programs to secure two-way communication with other parties that would be difficult for a third-party to break even if they managed to break the SSL to Google.