A hacker in Iran appears to be behind an Internet attack that almost left Google, Microsoft, Mozilla, Skype, and Yahoo vulnerable to impersonation. The attack was thwarted before anything catastrophic happened, but had it succeeded, the attacker would have been able to pass off web apps from any of those companies as the real deal.
Determining whether a site’s legit or not depends on a protocol known as Secure Sockets Layer, or SSL. It’s responsible for guaranteeing companies like Google or Microsoft are who they say they are when you’re transacting through a browser-based app. If you’ve ever wondered what the ‘s’ after ‘http’ signifies when you’re accessing a secure service, now you know.
Someone has to issue those certificates, and in this case we’re talking about Comodo, a commercial firm that sells products like firewalls, backup utilities, and e-commerce tools–including subscription-based SSL certificates. The hacker somehow managed to slip past Comodo’s defenses and request nine of these, and while the company says it’s not sure if the hacker successfully retrieved them all, at least one was “definitely” acquired.
“The attacker was well prepared and knew in advance what he was to try to achieve,” wrote Comodo in an incident report. “He seemed to have a list of targets that he knew he wanted to obtain certificates for, was able quickly to generate the CSRs [Certificate Signing Requests] for these certificates and submit the orders to our system so that the certificates would be produced and made available to him.”
Had the attack been successful, it would have allowed the hacker to lure unsuspecting users to fraudulent websites, snatch their passwords, and track their web activity. The security breach could also have been used to trick users into downloading malware which could then have extracted and transmitted confidential information.
About the Iran connection: It’s looking considerably more serious than just a random hack. Comodo was able to trace the attacks to several IP addresses, but said they were “mainly from Iran.” Since the Iranian government’s recently been involved in attacks on other encrypted forms of communication, Comodo reasons this latest was also “likely to be a state-driven attack.”
If that last turns out to be true, so much for warming international relations.
More on TIME.com: