The Iranian government has been listening in on secure e-mail traffic with the help of a Dutch company. Iran appears to have obtained an officially approved web security certificate which enabled it to intercept messages sent on Google’s e-mail service Gmail.

This digital certificate meant that Iranian users were under the impression they had a secure link to the Gmail site, without third parties being able to monitor their messages. Their web browser responded to the certificate assuring them this was the case.

But the certificate in question was one that the Iranian authorities obtained from Dutch firm Diginotar. Details leaked on Monday indicate that this certificate was issued to point to Google domain names. If the company had followed proper procedure, it would immediately have been clear there was something wrong, since Google’s domain names are already certified.

Web browsers Internet Explorer and Mozilla Firefox have responded by removing Diginotar from their list of trusted certificates. From now on these browsers will warn visitors to websites with a Diginotar certificate that the connection may not be secure.

The company, which also administers certificates for the Dutch government, has yet to comment on the issue. The government websites will remain unaffected, since their certificates are not registered directly to Diginotar.

The GreenLeft party now plans to put questions to the Dutch Foreign Minister and the European Commission on the issue.

(dd/imm)

© Radio Netherlands Worldwide