Feeds

Browser makers rush to block fake Google.com security cert

Turkish authority's goof could compromise data

Security for virtualized datacentres

Google and other browser vendors have taken steps to block an unauthorized digital certificate for the " *.google.com" domain that fraudsters could have used to impersonate the search giant's online services.

According to a blog post by software engineer Adam Langley, Google's Chrome team first discovered a site using the fraudulent certificate on Christmas Eve. Upon investigation, they were able to trace the phony credential back to Turkish certificate authority Turktrust, which quickly owned up to the problem.

It seems that in August 2011, Turktrust mistakenly issued two intermediate certificates to one of its customers, instead of the ordinary SSL certificates it should have issued. It was one of these more trusted certificates that allowed the customer to generate the fake " *.google.com" certificate, unbeknownst to Turktrust or Google.

Armed with such a certificate, attackers can potentially create fraudulent websites that pose as Google websites, which can then be used to spoof content, launch phishing attacks, or perform man-in-the-middle attacks to intercept data from Google services.

Such attacks would be more insidious than your garden-variety online fraud because the spoofed certificate would cause users' browsers to report the fake sites as genuine.

According to Turktrust's own website, "Turktrust is the one and only local enterprise in Turkey that is recognized by Microsoft (Internet Explorer), Mozilla (Firefox), Opera and Safari web browsers and whose SSL server certificates are valid throughout the world."

That status could be in jeopardy, however, because the only solution to the spoofed-certificate problem, now that the cat is out of the bag, is to revoke the authority of some or all certificates issued by Turktrust.

On Thursday, Google's Langley said that the search giant has already updated the certificate-revocation metadata of its Chrome browser to invalidate both of Turktrust's wrongly-issued intermediate certificates – one on Christmas Day and the other the day after – and that further actions are forthcoming.

"Given the severity of the situation, we will update Chrome again in January to no longer indicate Extended Validation status for certificates issued by Turktrust, though connections to Turktrust-validated HTTPS servers may continue to be allowed," Langley wrote.

In a separate security advisory, Microsoft said it had similarly updated the Certificate Trust List to revoke the authority of the problem certificates for all supported versions of Windows, which currently means Windows XP Service Pack 3 and later.

But the Mozilla Foundation went even further, not merely revoking the two certificates, but also suspending inclusion of Turktrust's root certificate with the Firefox browser "pending further review."

"We are concerned that at least one of the mis-issued intermediate certificates was used for man-in-the-middle (MITM) traffic management of domain names that the customer did not legitimately own or control," Mozilla director of security assurance Michael Coates wrote in a blog post. "We are also concerned that the private keys for these certificates were not kept as secure as would be expected for intermediate certificates."

As usual, users of all browsers are advised to make sure they are up to date with the latest security fixes, although some browsers – such as Chrome – install such fixes automatically.

Coates added that any additional action regarding Turktrust would be discussed in the Mozilla Foundation's mozilla.dev.security.policy forum. ®

Beginner's guide to SSL certificates

More from The Register

next story
FYI: OS X Yosemite's Spotlight tells Apple EVERYTHING you're looking for
It's on by default – didn't you read the small print?
Edward who? GCHQ boss dodges Snowden topic during last speech
UK spies would rather 'walk' than do 'mass surveillance'
Microsoft pulls another dodgy patch
Redmond makes a hash of hashing add-on
NOT OK GOOGLE: Android images can conceal code
It's been fixed, but hordes won't have applied the upgrade
DEATH by PowerPoint: Microsoft warns of 0-day attack hidden in slides
Might put out patch in update, might chuck it out sooner
'LulzSec leader Aush0k' found to be naughty boy not worthy of jail
15 months home detention leaves egg on feds' faces as they grab for more power
prev story

Whitepapers

Cloud and hybrid-cloud data protection for VMware
Learn how quick and easy it is to configure backups and perform restores for VMware environments.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.