Flaw could have let attackers steal passwords and data from apparently secure connections to Google sites such as Gmail

Security experts warn that a web-certificate is used, which could allow hackers to steal passwords and data from seemingly secure connections to websites such as Google Gmail.

Internet users in Iran will most likely be used at particular risk from rogue SSL certificate that digitally "character" HTTPS connections to each google.com website and it was approved by a Dutch company called DigiNotar 10th July will be issued. In particular, dissidents who trust Google 's have for their safety in the attack targeted.

DigiNotar - which has no direct commercial relationship with Google - has not said who the certificate was issued, but the effect would be that anyone think it could secure in one place, and that their communications would be encrypted logged in, but instead attacker control of the network could eavesdrop on all their attacks, including passwords. This is known as "Man in the middle" or "MITM" to attack.

The first person said to have the rogue certificate, seems to ask an Iranian user who posted about them on a Google support forum, whether it was aware of a MITM attack. The problem was to be observed on several Internet service providers, leading to concerns of the government, there might use it to monitor dissidents and steal login details.

The user also stated that links to google.com to take a longer way than links to youtube.com, yahoo.com and bing.com seemed. The certificate does not seem to be in continuous use: "I see this fake certificate just 30 minutes or an hour a day maybe they just test how to sniff their user" wrote the explorer.

Microsoft on Monday evening removed the certificate from the list of allowed certificates with their browsers. That would mean users would be an "invalid certificate" get warning when used in a Google site that rogue certificate, in which case they should refuse the connection tries to log presented.

The discovery is the second time in five months that unscrupulous SSL certificates have been discovered in the wild. In March, hackers cracked the system through the Web Certification from RSA uses and creates a number of new, valid certificates for Google and for six other domains through a certification company Comodo. The rogue certificates were in use for eight days before they withdraw from popular browsers, and more for e-mail programs.

Both incidents have growing concern among security experts about the levels of trust in SSL certification, which are used to create a \ placed created "Web of Trust" can be certified for approved companies several locations, so that users can be confident that their communications are unused. The March to hack Comodo is believed to have been carried out by an Iranian team.

The central weakness in the Web-certification is that any company authorized to issue certificates may be that almost any Web browser as opposed to any valid property trust problem. In order for a certificate for google.com DigiNotar would be familiar from almost any browser, even if a hacker attack, it meant someone who does not Google has been issued.

"How many DigiNotar issued fake certificates are out there that nobody has noticed?" Said Mikko Hypponen, chief research officer at Finnish security firm F-Secure.

Users of the latest version of Google 's Chrome browser would be safe from the attacks in recent months, because it uses a system called "pinning" in which she rejects certificates of all but a limited number of companies that do not contain DigiNotar. However, the DigiNotar certificate was on 10 July issued, and the version of Chrome that would reject the certificate until the 10th August appear, so that a critical time window in which users are already vulnerable to attacks.

The Electronic Frontier Foundation, said:. "The CA has been concern for decades at a time, in the largest online safety idea was to be the protection of the users created by trapped with their credit card numbers petty criminals today rely on Internet users on this system to protect their privacy against nation-states . We doubt it can bear this burden. "

The EFF says Certification Authorities "caught issuing fraudulent certificates in at least half a dozen high-profile cases in the past two years," were, but that the concern is about the most recent that it could have been have used to refer to any number Users of Iranian spy.