第3集：DigiNotar，你是最弱的一环，再见！

一个伊朗男子去检查他的电子邮件。

A guy in Iran goes to check his email.

他在浏览器中输入 gmail.com 并按下回车。

He types in gmail dot com into his browser and hits enter.

一个奇怪的警告弹了出来。

A strange warning pops up.

它显示：服务器证书无效。

It says invalid server certificate.

他无法访问 Gmail。

He's unable to get to Gmail.

他连接到一个 VPN 并再次尝试。

He connects to a VPN and tries again.

通过 VPN，他顺利连接上了。

Through the VPN, connects just fine.

他觉得这里可能有些蹊跷。

He thinks there may be some funny business going on.

他发帖到谷歌论坛，询问是否发生了中间人攻击。

He posts a question to the Google forums, asking if there's a possible man in the middle attack going on.

他还怀疑自己的互联网服务提供商或伊朗政府在搞鬼。

He also says he suspects his ISP or the Iranian government to be doing something fishy.

谷歌不仅回复了该论坛帖子，还向全世界发布了安全警告，并为Chrome浏览器发布了紧急补丁。

Google responded, not only to the forum post, but they published a security warning to the world and released an emergency patch to their Chrome browser.

Mozilla、微软和苹果迅速跟进，发布了类似的安全更新。

Mozilla, Microsoft, and Apple followed quickly with similar security updates.

事实上，确实对Gmail用户实施了中间人攻击。

There was, in fact, a man in the middle attack against Gmail users.

这种攻击破坏了所有浏览器的安全性。

An attack which undermined the security in all browsers.

这是一场造成严重后果的攻击。

An attack that had devastating consequences.

这是《暗网日记》。

This is Darknet Diaries.

来自互联网黑暗面的真实故事。

True stories from the dark side of the Internet.

我是杰克·雷西德。

I'm Jack Recider.

本集由Shopify赞助。

This episode is sponsored by Shopify.

还有比新年伊始更好的时机去尝试新事物吗？

Is there any better time to try out something new than at the start of a new year?

我非常喜欢。

I love it.

我觉得自己有理由去学习一项新技能、启动一个新项目或做出新的决定。

I feel like I have permission to try learning a new skill or starting a new project or making new decisions.

但如果你感到特别有雄心，为什么不三者都尝试，让2026年成为你用Shopify开启新事业的一年呢？

But if you're feeling extra ambitious, why not do all three and turn 2026 into the year you started your new business with Shopify?

Shopify为你提供了在线和线下销售所需的一切。

Shopify gives you everything you need to sell online and in person.

通过Shopify内置的AI工具，设置过程非常快捷，这些工具可以撰写产品描述和标题，甚至帮助你编辑产品图片。

Set up is fast with Shopify's built in AI tools that write product descriptions and headlines and even help you edit product photos.

数以百万计的创业者已经完成了这一跃，从家庭主妇到刚刚起步的首次创业者。

Millions of entrepreneurs have already made this leap from household names to first time business owners just getting started.

就连我，我的T恤店也在Shopify上。

And even me, my t shirt shop is on Shopify.

那是shop..netdiaries.com。

That's shop..netdiaries.com.

我喜欢Shopify，因为它让我轻松地将业务上线。

And I love Shopify because how easy it is for me to get my business online.

营销功能也是内置的。

Marketing is built in too.

你可以创建电子邮件和社交媒体活动，触达客户浏览的每一个角落。

You can create emails and social campaigns that reach customers wherever they scroll.

所以在2026年，别再等待了，立即用Shopify开始销售吧。

So in 2026, stop waiting and start selling with Shopify.

立即注册每月1美元的试用版，今天就开始在shopify.com/darknet上销售。

Sign up for your $1 per month trial and start selling today at shopify.com/darknet.

前往shopify.com/darknet。

Go to shopify.com/darknet.

就是shopify.com/darknet。

That's shopify.com/darknet.

新的一年，让Shopify伴你聆听第一声成功。

Hear your first this new year with Shopify by your side.

本集由Vanta赞助。

This episode is sponsored by Vanta.

客户信任可以成就或摧毁你的业务。

Customer trust can make or break your business.

随着业务增长，你的安全与合规工具也会变得越来越复杂。

And the more your business grows, the more complex your security and compliance tools get.

这可能会变成一团糟，而混乱不是一种安全策略。

It can turn into chaos, and chaos isn't a security strategy.

这就是Vanta的用武之地。

That's where Vanta comes in.

把Vanta想象成一位24小时在线、由AI驱动的安全专家，能与你一同成长。

Think of Vanta as your always on AI powered security expert who scales with you.

Vanta自动处理合规性，持续监控你的控制措施，并为你提供合规与风险的单一信息来源。

Vanta automates compliance, continuously monitors your controls, and gives you a single source of truth for compliance and risk.

无论你是像Cursor这样的快速成长型初创公司，还是像Snowflake这样的大型企业，Vanta都能轻松融入你现有的工作流程，让你持续发展一家客户可以信赖的公司。

So whether you're fast growing startup like Cursor or an enterprise like Snowflake, Vanta fits easily into your existing workflows so you can keep growing a company your customers can trust.

立即前往vanta.com/darknet开始使用。

Get started at vanta.com/darknet.

拼写是vanta。

That's spelled vanta.

Vanta.com/darknet。

Vanta.com/darknet.

HTTPS、SSL和TLS都是保护万维网安全的技术。

HTTPS, SSL, and TLS are all technologies that secure the World Wide Web.

它们都依赖于证书，证书就像是网站的身份证。

They all rely on certificates, which are sort of like an identification card for websites.

颁发证书的公司被称为证书颁发机构，简称CA。

The companies that issue certificates are called certificate authorities or CA.

CA和证书的概念太复杂了，我请别人来解释一下。

The concept of CAs and certificates is so complicated that I'll have someone else explain it.

我叫杰维斯·马尔克姆。

My name is Jervis Markham.

在过去大约十二年里，我一直参与Mozilla的证书颁发机构根程序。

And for about the last twelve or so years, I've been involved with the certificate authority root program at Mozilla.

证书颁发机构基本上就是验证身份、你信任其进行身份验证的机构。

A certificate authority is basically somebody who checks identity and that you trust to check identity.

验证的严格程度取决于证书的类型。

The level of checking depends on the type of certificate.

他们可能只是验证声称拥有foo.com域名的人是否真的拥有该域名。

They might just check that the person who says they own the domain foo.com owns the domain foo.com.

他们还可能说，顺便提一下，这是位于英国伯明翰百一十六号金合欢街的福公司，这是他们的电话号码，公司参考编号等等。

They might also say, and by the way, it is Foo Corporation of a Hundred And 16 Acacia Avenue, Birmingham, UK, and, you know, this is their phone number, and this is their company reference number and stuff like that.

它可能会核查所有这些信息，但至少会验证某些级别的信息。

It may check all of those things, but it checks some level of information.

CA的主要目的是，当你在网页浏览器中输入foo.com时，该请求通过互联网发出，而互联网上可能有众多敌对或恶意人员控制着网络的各个部分，你收到的数据，第一，确实来自foo.com，第二，没有被篡改，也无法在传输过程中被窥探。

And the primary purpose of a CA is so that when you type foo.com into your web browser and that request goes out across the Internet, which could be populated by any number of hostile or nefarious people controlling various bits of the network, the data you get back, a, does come from foo.com, and, b, hasn't been tampered with or can't be viewed along the way.

证书系统基本上构成了网页安全连接能力的基础。

The certificate system basically underlies, the secure connection ability, of the web.

像Firefox这样的网页浏览器内置了受信任的CA列表，并保存了一组用于验证的根证书。

Web browsers such as Firefox contain an internal list of trusted CAs and hold a list of root certificates to use for verification.

当你访问一个网站时，它会出示一个证书，用以标识该网站的域名。

When you visit a website it will present a certificate which identifies the domain of the website.

该证书还说明了是哪个CA核查并验证了这些信息的真实性。

The certificate also says which CA checked and verified this information is true.

然后浏览器会检查该CA是否可信。

The browser then checks to see if the CA is trust worthy.

您的浏览器包含所有可信赖的CA和根证书列表。

Your browser contains a list of all trustworthy CAs and root certificates.

例如，Firefox有

Firefox, for instance, has

64个组织和159个证书。

64 organizations and a 159 certificates.

这个可信赖组织的列表被称为根存储库。

This list of trustworthy organizations is called a root store.

当一家公司决定成为证书颁发机构时，需要与浏览器厂商合作，以被添加到根存储库中。

When a company decides they wanna become a certificate authority, they need to work with the browsers to be added to the root store.

如果未被添加，浏览器将不信任这些网站。

If they aren't added, browsers won't trust those websites.

因此，目前有四个主要的根存储库。

So there are four major root stores.

其中之一就是我们。

There's us.

还有微软。

There's Microsoft.

还有苹果。

There's Apple.

还有谷歌。

And there's Google.

我们对CA纳入的标准包括一些特定的审计，旨在证明CA的行为符合相关的安全指南。

The criteria that we have for CAs to be included will include particular audits, which try to demonstrate that the CA is acting in accordance with the relevant sort of security guidelines.

然后审计人员会进来进行核查。

Then auditors will come in and check that.

他们可以向多个根程序展示这些审计结果。

And they will be able to present those audits to lots of different route programs.

杰维斯和他的团队负责决定哪些CA是可信的，哪些不是。

Jervis and his team are in charge of deciding which CAs are trustworthy and which aren't.

这是一项极其重要的工作。

This is an extremely important job.

他就像互联网的安全卫士，守护着所有使用Firefox的人，确保信任列表中的组织对全世界都是安全的。

He is like the security guard for the Internet, looking out after everyone who uses Firefox and making sure the organizations that are in the trusted list are safe for the world.

你可以这样想。

Think about it this way.

如果你使用Firefox，那么你就信任这个人——杰维斯·马克汉姆，相信他知道哪些组织是可信的。

If you use Firefox, then you are trusting that this man, Jervis Markham, knows which organizations can be trusted.

这不仅仅是我的工作。

It's not just me.

目前有三个人负责CA项目，但Mozilla运营着唯一完全开放和透明的根程序。

There are three of us who currently work on the CA program, but Mozilla runs the only fully open and transparent route program.

杰维斯认为，这种决策过程应该向公众开放，以便他们能够了解决策流程，甚至提供意见以帮助做出决策。

Jarvis thinks this kind of decision making should be open to the public so they can see the decision process and even give input in to help make the decision.

这就是他所说的根程序开放和透明的含义。

That's what he means by saying his root program is open and transparent.

因为你可以想象，决定哪些证书颁发机构是可信的是一项艰巨的任务。

Because as you can imagine, deciding which certificate authorities are trustworthy is a difficult task.

信任是一种有机的东西。

Trust is an organic thing.

对吧？

Right?

信任不是通过勾选复选框就能产生的。

Trust is not something that results from coming to the end of a checkbox.

所以如果我们读到一篇新闻文章，比如说，哈萨克斯坦政府正考虑对其所有公民进行中间人攻击，然后我们收到哈萨克斯坦政府的申请，要求将其根证书加入浏览器，即使所有文书工作都齐全，我们可能也会有些犹豫是否要将该根证书添加到我们的浏览器中，因为我们有外部信息表明该政府可能想用这个证书做什么。

So if we read a, you know, a news article that says, for example, the government of Kazakhstan is considering manning in the middle all of its citizens, and then we receive an application from the government of Kazakhstan to include their root certificate in the browser, even if all of the paperwork is in place, you know, we might, you know, be somewhat reluctant to add that root certificate to our browser because we have external information about what that government may be wanting to use that certificate for.

所以，你知道，申请机构的声誉也是一个需要考虑的问题。

So, you know, there there is, you know, the question of reputation of the organization who is applying as well.

所以这不仅仅是简单的清单检查，但我们确实努力制定至少大致客观的标准，让证书颁发机构知道需要满足什么条件才能被纳入。

So it is not, you know, just a simple checklist, but we do try and have criteria that are least vaguely objective so that CAs know what they have to do in order to be included.

但是使用根证书存储和证书颁发机构的整个方法存在一些问题。

But there's a few problems with this whole approach to using root stores and certificate authorities.

安全研究人员仍在努力寻找这个问题的更好解决方案。

Security researchers are still trying to find better solutions to this problem.

一个问题在于

One issue is

证书系统存在最薄弱环节的问题。

Is that the certificate system had a weakest link problem.

也就是说，如果你信任64个不同的组织，而其中一个是安全薄弱的，那么你就面临风险。

That is to say, if you trust 64 different organizations and one of them has sucky security, then you have a problem.

即使你的网站使用的是其他63个中的一个也没用，因为攻击者可以从那个不可靠的组织获取证书，然后冒充你。

It doesn't matter if your particular site uses one of the other 63 because the attacker can get a certificate from the dodgy one and then impersonate you.

也就是说，如果这64个组织中的任何一个被攻破，就会破坏所有其他CA的信任。

That is, if one of the 64 organizations were to be hacked, it ruins the trust for all other CAs.

基本上，黑客随后就会被列入可信名单。

Basically, the hacker would then be on the trusted list.

CA的安全性必须达到顶尖水平，坚不可摧。

The security of CAs has to be top notch and impenetrable.

Komodo是全球最大的CA之一。

Komodo is one of the largest CAs in the world.

他们为全球数百万个网站颁发证书。

They issue certificates from millions of websites around the world.

在2011年初，他们遭到黑客攻击。

And in early twenty eleven, they were hacked.

黑客发布了九个伪造的证书。

The hacker issued nine fake certificates.

但Komodo立即发现了这一情况并吊销了这些证书。

But Komodo immediately detected this and revoked the certificates.

几天后，Komodo修复了问题，并公开宣布发生了入侵事件。

A few days later, Komodo had fixed the problems and publicly announced that an intrusion took place.

但几天后，又发生了第二次入侵。

But a few days after that, a second intrusion took place.

但这次，黑客未能得逞。

But this time, the hacker was unsuccessful.

所有试图进行的操作都失败了。

All attempts at doing anything failed.

黑客能够进入网络，但无法再进一步采取任何行动。

The hacker was able to get into the network but couldn't take any steps beyond that.

他们无法签发任何证书或做任何重要的事情。

They were unable to issue any certificates or do anything significant.

然后，我们在Pastebin上看到一条奇怪的帖子出现。

Then we see a strange post show up on Pastebin.

Pastebin是一个任何人都可以匿名发布信息的网站。

Pastebin is a website where anyone can post a message anonymously.

这条信息是由一个名叫Komodo Hacker的人发布的，内容是：‘你好。’

This message was written by a person named Komodo Hacker, and it reads, quote, hello.

我写这封信是为了让全世界都更了解我们。

I'm writing this to all the world so you know more about us.

首先，我想提供一些证据，让你们确信我就是黑客。

At first, I wanna give some points so you'll be sure I'm the hacker.

我黑了Instant SSL的Komodo系统。

I hacked Komodo from Instant SSL.

他们的Komodo用户名和密码是GTAdminGlobalTrust。

Their Komodo username password was GTAdminGlobalTrust.

我不是一个组织。

I'm not a group.

我是一个拥有千名黑客经验的单打独斗的黑客，结束引用。

I'm a single hacker with the experience of 1,000 hackers, end quote.

这条消息进一步解释了他是如何入侵以及做了什么。

The message goes on to explain more on how he got in and what he did.

在最后，他用波斯语写道：我愿为我的领袖献出我的灵魂。

At the very end, he writes in Persian, I will sacrifice my soul for my leader.

五天后，Komodo宣布了第二次入侵，但称黑客未能取得任何进展，他们已修复了网络中的漏洞。

Five days later, Komodo announces the second intrusion, but mentions the hacker was unable to do anything, and they fixed the holes in their network.

总体而言，Komodo对此问题的处理相当不错。

Overall, Komodo handled this issue fairly well.

他们迅速发现并修复了问题，并向公众发布了通知。

They quickly detected and fixed the issue and notified the public.

Komodo 并不是唯一的证书颁发机构。

Komodo isn't the only CA.

另一个流行的是 DigiNotar。

Another popular one is DigiNotar.

这是一家总部位于荷兰的公司。

It's a Dutch based company.

他们于1998年在荷兰开始提供公证服务。

They started out in 1998 doing notarizations in Netherlands.

最终，他们成为了一家值得信赖的证书颁发机构。

Eventually they became a respectable CA.

事实上，荷兰政府曾将 DigiNotar 用作其许多网站的证书颁发机构。

In fact, the Dutch government used DigiNotar as a CA for many of their websites.

在2011年初，Vasco 以近1300万美元收购了 DigiNotar。

And in early two thousand eleven, Vasco bought DigiNotar for almost $13,000,000.

而 DigiNotar，我认为是一个在安全方面投入巨大的案例，作为证书颁发机构，你必须这么做。

And DigiNotar, I think, is a case that had really sort of invested heavily into security, as you have to if you're a certificate authority.

那是约瑟芬·沃尔夫。

That's Josephine Wolf.

我是罗切斯特理工学院公共政策与计算安全系的助理教授。

And I'm an assistant professor in the public policy and computing security departments at Rochester Institute of Technology.

她最近在《SLAIT》上发表了一篇关于弃用DigiNotar的文章。

She recently published an article in SLAIT regarding Ditching Notar.

该网络仅由这些部分组成，包括面向公众的外部网络、DMZ内部网络，以及更深层的多个层级。

The network was set up only with all of these segments, with the public facing, the external net, and the DMZ internal, and then the sort of several layers beyond that.

但他们还设置了物理控制措施。

But they also had physical controls in place.

因此，一旦你进入了网络中最安全的区域，如果你想实际访问用于签发证书的生产服务器，就必须到达那些存放在一个类似詹姆斯·邦德电影场景房间里的计算机。

So once you're into the most secure portion of the network, if you then want to actually access the production servers that are used to issue certificates, you had to get to these computers that were stored in a room that's something out of like a James Bond movie, right?

有两道门，一个手掌识别装置和一个PIN码，你还必须插入一张电子钥匙卡才能开始签发证书的过程。

There are two sets of doors, there's a hand recognition device and a PIN code, and you have to insert an electronic key card in order to actually begin the certificate issuing process.

因此，在这个系统中，要签发证书，你必须依次通过多个层次的安全防护。

So there are several levels of security that ostensibly you have to get past in order to issue a certificate in this setup.

你知道塔拉知道安全对公司声誉至关重要，并在安全上投入了大量资源吗？

Did You Know Tara knew security was vital to the reputation of the company and invested heavily in its own security?

我喜欢把网络防护比作一座拥有上万扇门和窗的城堡。

I like to sometimes think of securing a network similar to securing a castle that has 10,000 doors and windows.

即使你花时间检查每一扇门和每一扇窗是否上锁，也可能遗漏一扇，或者根本不知道它的存在。

Even if you spend the time to go check every door and window to make sure it's locked, you may have missed one or may not be aware of one.

随着时间推移，你难免会犯错，忘记锁上某扇门。

And over time, you're bound to make a mistake and leave a door unlocked.

也许是因为你懒惰或分心，但人类总会犯错。

Maybe because you are lazy or distracted, but humans make mistakes.

2011年，DigiNotar就犯了这样的错误，一名黑客入侵了他们的网络。

In the 2011, DigiNotar made such a mistake, and a hacker entered their network.

这次入侵始于攻击者连接到DigiNotar公开的Web服务器，而这些服务器的软件版本已经有些过时。

The breach begins by the perpetrator actually connecting to the public facing web servers that DigiNotar has up, and it's a little bit out of date.

它们的内容管理系统中有一些补丁尚未更新。

There are some patches that they haven't updated in the content management software.

因此，攻击者连接到他们的网页服务器，利用这些过时的漏洞，通过这些漏洞穿透了本应是网络中最安全的隔离区的庞大防火墙规则集。

And so the perpetrator connects to their web servers, takes advantage of some of those out of date vulnerabilities, and uses those vulnerabilities to tunnel through this incredibly extensive set of firewall rules into what's supposed to be sort of the most secure silo of their network.

黑客最终到达了签发证书的服务器。

The hacker eventually made his way to the server that issues certificates.

但DigiNotar有一个安全检查机制，要求在签发证书前必须将物理门禁卡插入计算机。

But DigiNotar had a security check-in place where physical key card had to be present in the computer before a certificate could be issued.

结果发现，我们相信这张门禁卡实际上是被永久插在那里的，这不仅仅是出于懒惰，而是因为DigiNotar希望自动生成所谓的证书吊销列表。

And it turns out that there's a key card we think that's actually being left in permanently, not just out of laziness, but because DigiNotar wants to be able to automatically generate what are called certificate revocation lists.

对吧？

Right?

每当某个证书变得不可信、过期或因某种原因被吊销时，DigiNotar都希望自动发布这些证书的列表，以便所有信任DigiNotar证书的浏览器停止信任这些特定证书。

Every time a certificate becomes untrusted or outdated or is is being revoked for some reason, DigiNotar wants to be issuing automatic lists of those certificates so that all of the browsers that trust Digi Notar certificates will stop trusting those particular certificates.

为了发布这些列表，你需要将其中一张卡插入这个房间里的安全服务器。

And in order to issue those lists, you need to have one of these cards inserted into the secure servers in this room.

因此，由于这张卡一直插在那里，所有这些看似过度的安全措施实际上都能被绕过。

And so because it's just being left in there, it turns out that all of these layers of security, which seem sort of like overkill, are actually able to be bypassed.

这个入侵者能够以各种不同域名的名义签发大量伪造证书。

This intruder is able to issue a bunch of rogue certificates in the names of a whole variety of different domains.

对吧？

Right?

最引人注目的是谷歌.com的证书，但我认为还有cia.gov的证书也被签发了，以及其他许多证书。

The big one that comes up are the the google.com certificates, but I believe there are also cia.gov certificates being issued, and many, many others.

有了这些证书，黑客现在就可以冒充谷歌。

With these certificates, the hacker can now become Google.

他们可以欺骗浏览器，使其相信自己就是google.com。

They can trick the browser into believing they are google.com.

这是因为DigiNotar是浏览器中受信任的证书颁发机构之一。

That is because Digi Notar was one of the trusted CAs within the browser.

这次入侵发生在2011年7月10日，他最终签发了531个伪造证书。

This breach took place in 07/10/2011, and he ended up issuing 531 rogue certificates.

九天后，DigiNotar发现了这次入侵，但他们并未公开宣布。

Nine days later, DigiNotar detected the breach, but they didn't announce it publicly.

一个多月后，有人在谷歌论坛发帖，称伊朗一名用户无法访问gmail.com。

Over a month later is when the Google forum post showed up about the man in Iran who couldn't get to gmail.com.

伊朗那些试图连接Gmail账户的人，被重定向到了一个错误的网站，这个网站很可能看起来和真实的Gmail一模一样。

The people in Iran who are trying to connect to their Gmail accounts are being redirected that directs them to the wrong website that probably looks exactly like the real Gmail.

由于这些由DigiNotar签发的伪造证书，创建这个虚假Gmail或谷歌网站的人能够对网站进行签名，使其看起来确实像是一个真正的谷歌网站。

And because they've got these rogue certificates issued by DigiNotar, the people who created this fake Gmail or Google website are able to actually sign it and look like it's really authentically a Google site.

但正是因为这些伪造证书，他们才能做到这一点。

But because they've got this rogue certificate, they're able to do that.

人们访问了他们以为是谷歌的网站，并输入了自己的凭证信息。

People are going to what they believe are Google sites, entering their credentials.

我们怀疑这些凭证随后被用于以各种方式监视他们的谷歌账户。

We suspect those credentials are then being used to spy on their Google accounts in various ways.

黑客随后利用这些证书，实施了一次中间人攻击。

The hacker then took these certificates and proceeded to create a man in the middle attack.

这种攻击是指黑客截获了本应发送到其他地方的流量。

This is where a hacker intercepts the traffic that's supposed to go somewhere else.

这些恶意证书只是进行中间人攻击所需的一半条件。

The rogue certificates is only half of what's needed to do a man in the middle attack.

黑客需要将用户重定向到他的服务器，而不是真正的谷歌服务器。

The hacker needs to redirect people to his server instead of the real Google servers.

我们不知道他具体是如何做到的，但最合理且证据最充分的理论是他实施了DNS缓存投毒攻击。

We don't know exactly how he did this, but the best theory with the most supporting facts is he did a DNS poisoning attack.

DNS服务器将像google.com这样的域名解析为IP地址，以便路由器能找到正确的目的地。

A DNS server translates a domain like google.com to an IP address so routers can find where they need to go.

他欺骗了伊朗的DNS服务器，使得任何查找google.com的人都会被重定向到他的IP地址。

He tricked the DNS servers in Iran so that anyone looking for google.com would be redirected to his IP instead.

目前没有确凿证据证明重定向就是通过这种方式实现的。

There's no definitive proof that that's how the redirect happens.

有一些间接证据可以用来支持这一推断。

There's sort of circumstantial evidence that you can use to to try and make that case.

对吧？

Right?

因此，伊朗可能有一家互联网服务提供商（ISP）要么是共谋，要么已被入侵，从而将流量重定向到这些欺诈网站。

So it's possible that there's an ISP in Iran that's actually either complicit or has been compromised and is therefore redirecting traffic to these fraudulent sites.

另一种可能性是，某个高级别的DNS服务器已被入侵，并将这些虚假记录向下传播给依赖它的层级中的其他DNS服务器。

Another possibility is that it's a very high level DNS server that has been compromised and is sort of propagating those fake records down to the the other DNS servers that rely on it in the hierarchy.

同样，调查人员根据证据认为，这很可能不是这种情况，因为当他们观察被重定向的人数及其重定向时间时，发现这种重定向是突发性的。

And again, there's a sense that the investigators have just based on the evidence that it's probably not that because when they look at how many people are being redirected and when they're being redirected, it's very bursty.

也就是说，你会看到被发送到虚假网站的人数出现大幅激增，然后下降，接着又再次激增，这让他们认为这不太可能是高级别层面的DNS投毒。

That is, you see sort of a big spike in the number of people being sent to the fake sites, then it goes down and there's a spike again, which makes them think that it's probably not poisoning happening at a high level.

更有可能是一些本地DNS服务器被大量看似来自高级可信DNS服务器的消息淹没，但实际上这些消息来自攻击者，声称：‘这是google.com的正确更新DNS记录。’

It's probably sort of some local DNS servers being flooded with messages that look like they come from high level trusted DNS servers, but instead are actually coming from the attackers saying, here's the correct updated DNS record for google.com.

但这种状态只会持续一段时间，因为之后该DNS服务器会从更高级别的DNS服务器获取正确的记录。

And that will only last a certain period of time because then that DNS server will get the correct record from the higher level DNS server.

于是它又会开始将用户导向正确的网站，而攻击者必须再次回来重新进行投毒。

So then it will start sending people to the right side again, and the attackers will have to come back and poison it again.

超过30万名伊朗用户访问了这个恶意服务器。

Over 300,000 people from Iran visited the rogue server.

这次攻击似乎针对的是伊朗平民。

This attack seemed to be targeting Iranian civilians.

这次攻击本可能在一段时间内未被发现，但谷歌有一种巧妙的方法来检测它。

This attack would have went undetected for some time, but Google had a clever way of detecting it.

最终被发现是因为他们实际上是在Chrome浏览器中进行的，而Chrome浏览器由谷歌制造，谷歌拥有Chrome浏览器，该浏览器会检查这些证书，并且也拥有被伪造的网站，因此浏览器实际上注意到了异常。

It's finally noticed because they're actually doing this within the Chrome browser, which is manufactured by because Google owns the Chrome browser, which is checking these certificates and owns the websites that they're being used to imitate, the browser actually notices.

这是一个来自可信证书颁发机构的证书。

This is this is a certificate that comes from a trusted certificate authority.

对吧？

Right?

Chrome信任DigiNotar签发的证书，但我们知道这不是正确的证书，因为我们知道谷歌的证书是什么，而这个并不是其中之一。

Chrome trusts certificates issued by DigiNotar, but we know it's not the right certificate because we know what our Google certificates are, and this is not one of them.

这就是为什么谷歌论坛上的那个人遇到了服务器证书错误。

This is why the guy in the Google forums had a server certificate error.

Firefox这边的Jervis身处前线。

Jervis over at Firefox was on the front line.

谷歌通知我们，他们检测到一个针对 start.google.com 的错误签发证书，该证书正被用于针对伊朗用户的主动攻击。

Google notified us that they had detected a misissued certificate for start at google.com, which was being used in active attacks on users in Iran.

因此，我们开始对此进行调查。

And so we started, investigating this.

我基本上负责了事件响应工作。

And I basically took on incident response.

所以我非常忙碌。

So I was very busy.

在 DigiNotar 的案例中，他们的网络已被彻底渗透，并且这种情况已经持续了数月。

In the case of DigiNetar, their network was thoroughly penetrated and had been for months.

他们的日志一片混乱。

Their logs were a mess.

他们的基础设施也一团糟。

Their infrastructure was a mess.

无法确定入侵的范围，因此也无法将其限制在特定的路由、一组路由、某个中间环节或一组中间环节内。

There was no way of telling the scope of the compromise and therefore no way of containing it to a particular route or a group of routes or an intermediate or group of intermediates.

由于安全方面的灾难性失败，继续信任DigiNotar系统和组织已不可能。

Because of the catastrophic failures of security, it was impossible to continue any form of trust in the DigiNatar systems and organizations.

当Mozilla决定DigiNotar不再可信时，他们将其从根存储中移除。

When Mozilla decided DigiNatar was no longer trustworthy, they removed them from the root store.

但用户必须更新浏览器才能获得不再信任DigiNotar的Firefox版本。

But users would have to update their browser in order to receive the version of Firefox that didn't trust DigiNotar.

所有其他根存储也都将DigiNotar从可信列表中移除。

All the other root stores also removed DigiNotar from the trusted list.

在遭受攻击近两个月后，且在伊朗已遭受大规模中间人攻击之后，DigiNotar才终于公开承认自己已被入侵。

Almost two months after the breach took place and well after Iran had been target of a massive man in the mill attack, DigiNotar finally publicly admitted they were reached.

一旦这成为公开的入侵事件，荷兰政府便介入并接管了DigiNotar，这在私营公司被入侵的历史上是前所未有的。

Once this actually becomes a public compromise, then the Dutch government kind of steps steps in and takes control of DigiNotar, which is sort of unprecedented in in the history of breaches of private companies.

一旦发生这种情况，该公司在很大程度上就退出了舞台。

And once that happened, the company is sort of, to to a large extent, out of the picture.

他们的管理层不再负责聘请调查人员等任何决策。

Their leadership is no longer making decisions about hiring investigators and everything else.

荷兰政府将DigiNotar用作其众多政府网站和应用程序的主要证书颁发机构。

The Dutch government was using DigiNotar as their primary CA for numerous government sites and applications.

当浏览器开始将DigiNotar从受信任的根存储中移除时，荷兰政府的许多系统因此瘫痪。

And when browsers began removing DigiNotar from the trusted root store, it broke a lot of systems for the Dutch government.

于是，他们联系了根存储机构，请求将DigiNotar重新加入受信任的根存储中。

So they reached out to the root stores and asked to reinstate DigiNotar back into the root store.

浏览器确实将DigiNotar重新列为受信任的CA，但为了解决恶意证书的问题，根存储机构会屏蔽DigiNotar在2011年7月之后签发的所有证书。

The browsers did add DigiNotar back as a trusted CA, but to solve the problem of the rogue certificates, the root stores would block any certificates that were issued by DigiNotar after July 2011.

这使得荷兰政府能够继续运作，并寻找新的证书颁发机构。

This allowed Dutch government to continue and work towards finding a new CA.

最终，荷兰政府迁移到了新的证书颁发机构，在漏洞发生后的三个月内，DigiNotar被永久关闭。

Eventually, the Dutch government moved to a new CA, and within three months after the breach, DigiNotar was shut down permanently.

本集由DeleteMe赞助。

This episode is sponsored by DeleteMe.

DeleteMe让您可以轻松、快速且安全地在当今监控和数据泄露普遍到使每个人都有可能受害的时代，删除您的个人信息。

DeleteMe makes it easy, quick, and safe to remove your personal data online at a time when surveillance and data breaches are common enough to make everyone vulnerable.

现在比以往任何时候都更容易在网上找到关于个人的信息。

It's easier than ever to find personal information about people online.

你的地址、电话号码和家人姓名暴露在互联网上，可能会在现实世界中带来实际后果，使每个人都有风险。

Having your address, phone number, and family members' names hanging out there on the Internet can have actual consequences in the real world and makes everyone vulnerable.

隐私对我来说是一个非常重要的议题。

Privacy is a super important topic to me.

所以几年前，我注册了。

So a few years ago, I signed up.

DeleteMe 立即开始在互联网上搜索我的名字，并向我提供他们发现的结果报告。

DeleteMe immediately got busy scouring the Internet, looking for my name, and then gave me reports on what they found.

然后他们开始删除这些信息，并向我展示他们删除了哪些内容。

And then they got busy deleting things, showing me what they got rid of.

在隐私方面，有人为我保驾护航真是太好了。

It's great to have someone on my team when it comes to my privacy.

立即注册 DeleteMe，掌握你的数据，保护你的私人生活不被泄露。

Take control of your data and keep your private life private by signing up for DeleteMe.

现在，我的听众可以享受特别折扣，访问 deleteme.com/darknetdiaries 并在结账时使用促销码 d d 20，即可享受 DeleteMe 计划 20% 的优惠。

Now with a special discount for my listeners, you can get 20% off your DeleteMe plan when you go to join deleteme.com/darknetdiaries, and use promo code d d 20 at checkout.

获得 20% 折扣的唯一方法是访问 join deleteme.com/darknetdiaries，并在结账时输入代码 d d 20。

The only way to get 20% off is to go to join deleteme.com/darknetdiaries and enter code d d 20 at checkout.

就是 join deleteme.com/darknetdiaries，代码 d d 20。

That's join deleteme.com/darknetdiaries code d d 20.

Diginotar 聘请了名为 Fox IT 的安全公司进行调查，以查明发生了什么。

Diginotar hired a security firm called Fox IT to conduct an investigation as to what happened.

他们发现了 Diginotar 网络中的诸多问题。

They found numerous problems in the Diginotar network.

他们发现 Windows 域管理员账户的密码过于简单，容易被暴力破解。

They found the Windows domain administrator account had a simple password and was easy to brute force.

随后，所有证书签发服务器都位于同一个域中。

Then all the certificate issuing servers were on a single domain.

这意味着单个管理员账户能够访问他们全部八台证书服务器。

This means a single admin account was able to access all eight of their certificate servers.

许多系统没有安装防病毒软件，而这些软件本可以阻止其中一些攻击。

Numerous systems didn't have antivirus present, which would have stopped some of these attacks.

没有集中日志记录，关键系统也没有进行隔离。

There was no central logging and no separation of critical systems.

正是这些故障的综合作用，才让黑客能够绕过所有的安全检查。

A combination of all these failures is how the hacker was able to bypass all of the security checks.

Fox IT 还审查了证据，试图找出是谁实施了这次攻击。

Fox IT also looked through the evidence to try to find who did this attack.

我们不知道是谁干的，也没有人因此次泄露事件被抓获或起诉。

We don't know who did this, and nobody's been caught or or prosecuted for this breach.

确实如此。

It's true.

我们尚未能确定是谁干的。

We haven't been able to determine who did this.

但当 Fox IT 调查这次泄露事件时，他们确实发现了一些有趣的线索。

But when Fox IT investigated the breach, they did find some interesting clues.

首先，他们分析了黑客在网络中使用的所有IP地址，并成功将每个IP追溯到一个代理服务器，但有一个例外。

First, they looked at all the IPs the hacker used in the network, and they were able to trace each IP back to a proxy, except for one.

这个IP地址来自伊朗，连接到了DigiNotar网络，且并非通过代理服务器。

This IP connected to the DigiNotar network from Iran, and it was not from a proxy.

它仅连接了几秒钟便断开，随后又出现了一个来自代理服务器的新连接。

It only connected for a few seconds and then disconnected and a new connection showed up from a proxy.

这可能是黑客犯下的一个错误，但他迅速纠正了它。

This may have been a mistake by the hacker who then corrected himself very quickly.

该IP地址此前也曾访问过DigiNotar，这可能是在进行侦察。

That IP was also seen visiting DigiNotar previously, which may have been for reconnaissance.

Fox IT还发现，黑客在被入侵的服务器上留下了一条信息。

Fox IT also found the hacker left a message on the server that was hacked.

信息部分内容如下：'这个世界上没有任何硬件或软件能够阻止我的猛烈攻击，我的头脑、技能、意志或专业能力都可以做到。' 信息末尾还用波斯语写着：'我愿为我的领袖献出我的灵魂。'

It read, in part, quote, there is not any hardware or software in this world exists which could stop my heavy attacks, my brain or my skills or my will or my expertise, with a message at the end in Persian saying, I will sacrifice my soul for my leader.

我们还看到一条来自声称入侵了Komodo CA的人的新PasteBin消息。

We also see a new paste bin message show up from the person who claimed to have hacked the Komodo CA.

这位Komodo黑客现在声称自己也入侵了DigiNotar，并在PasteBin上使用相同的波斯语信息签名。

This Komodo hacker now takes credit for also hacking into Digi Notar and also signs his paste bin with the same message in Persian.

他还声称自己21岁，独自行动。

He also goes on to say he's 21 years old and works alone.

当然，DigiNotar和荷兰政府因此被卷入其中，因为它们正是这一切发生的媒介。

Certainly, Digi Notar and the Dutch government gets gets very caught up in this because they're sort of the vehicle by which all of this happens.

真正的目标是对伊朗公民进行间谍活动。

The real target was espionage directed at Iranian citizens.

但谁会想阅读伊朗公民的电子邮件呢？

But who would want to read the emails of Iranian citizens?

美国与伊朗一直存在冲突，因此这可能是可疑的。

The US has had conflicts with Iran, so it could be suspect.

著名安全专家布鲁斯·施奈尔表示，这可能是美国国家安全局（NSA）所为，或是NSA的某种利用手段。

And Bruce Schneier, a prominent security expert, says it may be the work of NSA or an exploit of NSA.

但他主要基于一份泄露的NSA文件提出这一观点，该文件显示NSA曾拥有对DigiNotar的访问权限。

But he says this mainly because of a leaked NSA document showing the NSA had access to Digi Notar.

这个理论并不牢固，几乎没有任何其他证据。

This theory isn't very strong and has almost no other evidence.

那么，还有谁会针对伊朗平民呢？

So who else would be targeting the general people of Iran?

伊朗政府自己。

The Iranian government itself.

要理解原因，我们需要回溯到这次黑客事件两年前。

To understand why, we need to dial back two years before the hack.

2009年，伊朗举行了一次总统选举。

In 2009, there was a presidential election in Iran.

马哈茂德·艾哈迈迪-内贾德以63%的得票率赢得了选举。

Mahmoud Ahmadinejad won the election by 63% vote.

但对此存在强烈反对声音。

But there was a strong opposition to this.

许多伊朗人认为选票被篡改，选举存在舞弊。

Many Iranians believed the votes had been tampered and the election was rigged.

抗议立即爆发。

Protests began immediately.

这在伊朗民众中制造了分裂。

This created a divide among the people of Iran.

一些人对政府极度不信任，而另一些人则变得极度忠诚。

Some people became extremely distrustful of the government, while other people became extremely loyal.

警察开始逮捕抗议者。

Police began arresting protesters.

当抗议者不愿离开时，他们被胡椒喷雾喷射、用警棍殴打，有时甚至遭到枪击。

And when protesters didn't leave, they were pepper sprayed, hit with batons, and sometimes shot at.

选举后三个月内，有七十二名抗议者死亡。

Within three months of the election, seventy two protesters died.

腐败如此严重，警察强迫家属签署文件，声称他们死去的亲人死于心脏病，而非警察暴行。

Corruption was so bad, the police forced families to sign papers saying their dead relatives died of a heart attack and not by police brutality.

正如你所想象的，这只会进一步激化伊朗民众的情绪。

As you can imagine, this only incited even more emotion among the people of Iran.

此后多年，伊朗政府努力消除任何政府反对力量。

For years after, the Iranian government worked hard to eliminate any government opposition.

这种情况一直持续到DigiNotar攻击发生之时。

This continued all the way to when this Digi Notar attack took place.

因此，有强有力的理论认为，这次黑客攻击是由伊朗政府本身或试图帮助伊朗政府的人所为。

So it's a strong theory that this hack was done by the Iranian government itself or someone trying to help the Iranian government.

他们可能在浏览电子邮件，试图寻找持不同政见者和对伊朗总统不满的人。

They were possibly looking through emails trying to find dissidents and those who were unhappy with the Iranian president.

如果被发现，这些人可能会遭到逮捕、酷刑甚至杀害。

And if they were found, it may have resulted in people being arrested, tortured, or killed.

证书颁发机构和浏览器开发者从DigiNotar事件中吸取了深刻的教训。

Certificate authorities and browser developers have learned some serious lessons from DigiNotar.

为了获得根存储库的接纳，对证书颁发机构的审计变得更加严格。

Audits have become more strict for CAs to pass in order for them to be accepted into root stores.

公钥固定技术得到了更广泛的应用。

Public key pinning has seen more use.

谷歌就是用这种方式在Chrome浏览器中检测到这次入侵的。

This is what Google did with their Chrome browser to detect this breach.

他们强制Chrome只接受由谷歌CA签发的证书，本质上是将证书绑定到特定的CA。

They forced Chrome to only accept certificates issued from Google's CA, essentially pinning the certificate to a specific CA.

自DigiNotar事件以来，更多网站采用了这种做法，但它存在一些缺陷。

More websites have done this since DigiNote TAR, but it has its shortcomings.

例如，想象一下，如果一个网站将证书绑定到一家倒闭的CA，会遇到什么问题。

For instance, imagine the problems a website would have if they pinned their certificate to a CA that went out of business.

或者想象一下，如果黑客将证书绑定到一个恶意的CA会怎样。

Or imagine if a hacker were to pin a certificate to a rogue CA.

目前，解除证书绑定是一项复杂的任务。

Unpinning a certificate is currently a complicated task.

自DigiNotar事件以来，Firefox增加了一项新功能，以帮助阻止恶意证书。

Since DigiNotar, Firefox has added a new feature to help block rogue certificates.

接下来让Jervis为我们介绍这一功能。

Here's Jervis to tell us about it.

所以我们有一个名为One CRL的系统，这可以说是一个紧急吊销系统。

So we have a system called One CRL, which is, if you like, an emergency revocation system.

Firefox会每24小时检查一次这个黑名单上的证书。

And Firefox is all check for certificates on this kind of blacklist every twenty four hours.

因此，如果我们需要紧急吊销单个证书，或者基于某个中间证书的整个证书树，我们只需将其加入One CRL，24小时内，所有安装了该系统的Firefox浏览器——而我们已经使用这个系统很久了——将不再信任这些证书。

And so if we need to do an emergency revocation of either an individual certificate or in fact an entire sort of tree of certificates based off one intermediate, then we can put it into one CRL and within twenty four hours, every Firefox which has the system, and we've had it for quite a while now, will no longer trust those certificates.

因此，我们无需安装更新就能使某些证书失去信任。

So it's not required to install an update in order for us to distrust something.

当这种全球范围的黑客攻击发生时，它会改变我们进行安全防护的方式。

When a hack takes place at this worldwide scale, it changes the way we do security.

某种程度上，黑客就像是互联网的免疫系统。

In a way, hackers are like the immune system of the internet.

他们感染我们，我们生病，然后康复，最终变得更强。

They infect us, we get sick, we get better, and we become even stronger afterwards.

即使到今天，六年过去了，每当一家公司发生重大泄露事件，总会有人提醒我们DigiNotar的下场。

And even today, six years later, when a major breach happens to a company, someone always reminds us of the fate of DigiNotar.

感谢约瑟芬·沃尔夫向我们讲述了DigiNotar的故事，特别感谢杰维斯·马尔克姆做客本播客。

Thank you to Josephine Wolf for telling us about Digi Notar, and a great big over the top thank you to Jervis Markham for coming on the podcast.

因为这个节目最初播出大约一年后，杰维斯就去世了。

Because about a year after this episode originally aired, Jervis passed away.

他在22岁时被诊断出患有恶性唾液腺癌，经过18年的抗争，于40岁去世。

At 22, he was diagnosed with a malignant salivary gland cancer, and after battling it for eighteen years, he passed away at the age 40.

杰维斯为Firefox和Bugzilla工具的安全做出了重要贡献，我们能在这个危险的世界中保持安全，要感谢他。

Jervis made significant contributions to securing Firefox and the Bugzilla tool, and we have him to thank for keeping us safe in this unsafe world.

我们会想念你，杰维斯。

We're gonna miss you, Jervis.

音乐由伊恩·亚历克斯·麦凯和凯文·麦克劳德提供。

Music is provided by Ian Alex Mack and Kevin McCloud.