"For one [thing], there's the type of information being looked for -- from Google users," said Schouwenberg. "This hints towards an intelligence operation rather than anything else. Secondly, this type of attack only works when the attacker has some control over the network, but not over the actual machine."

Others were more skeptical because of the claim that a single hacker pulled off the Comodo heist.

"I think it might still be a stretch to attribute this to the Iranian government," said Marlinspike on Twitter shortly before 4 p.m. ET. "We all know how that went last time."

The google.com certificate has not yet been revoked by DigiNotar -- the first step to blocking its use -- even though it was issued July 10.

Last March, browser makers, including Google, Microsoft and Mozilla, rushed out updates that added the stolen Comodo certificates to their applications' blacklists.