Feeds

Browser makers rush to block fake Google.com security cert

Turkish authority's goof could compromise data

5 things you didn’t know about cloud backup

Google and other browser vendors have taken steps to block an unauthorized digital certificate for the " *.google.com" domain that fraudsters could have used to impersonate the search giant's online services.

According to a blog post by software engineer Adam Langley, Google's Chrome team first discovered a site using the fraudulent certificate on Christmas Eve. Upon investigation, they were able to trace the phony credential back to Turkish certificate authority Turktrust, which quickly owned up to the problem.

It seems that in August 2011, Turktrust mistakenly issued two intermediate certificates to one of its customers, instead of the ordinary SSL certificates it should have issued. It was one of these more trusted certificates that allowed the customer to generate the fake " *.google.com" certificate, unbeknownst to Turktrust or Google.

Armed with such a certificate, attackers can potentially create fraudulent websites that pose as Google websites, which can then be used to spoof content, launch phishing attacks, or perform man-in-the-middle attacks to intercept data from Google services.

Such attacks would be more insidious than your garden-variety online fraud because the spoofed certificate would cause users' browsers to report the fake sites as genuine.

According to Turktrust's own website, "Turktrust is the one and only local enterprise in Turkey that is recognized by Microsoft (Internet Explorer), Mozilla (Firefox), Opera and Safari web browsers and whose SSL server certificates are valid throughout the world."

That status could be in jeopardy, however, because the only solution to the spoofed-certificate problem, now that the cat is out of the bag, is to revoke the authority of some or all certificates issued by Turktrust.

On Thursday, Google's Langley said that the search giant has already updated the certificate-revocation metadata of its Chrome browser to invalidate both of Turktrust's wrongly-issued intermediate certificates – one on Christmas Day and the other the day after – and that further actions are forthcoming.

"Given the severity of the situation, we will update Chrome again in January to no longer indicate Extended Validation status for certificates issued by Turktrust, though connections to Turktrust-validated HTTPS servers may continue to be allowed," Langley wrote.

In a separate security advisory, Microsoft said it had similarly updated the Certificate Trust List to revoke the authority of the problem certificates for all supported versions of Windows, which currently means Windows XP Service Pack 3 and later.

But the Mozilla Foundation went even further, not merely revoking the two certificates, but also suspending inclusion of Turktrust's root certificate with the Firefox browser "pending further review."

"We are concerned that at least one of the mis-issued intermediate certificates was used for man-in-the-middle (MITM) traffic management of domain names that the customer did not legitimately own or control," Mozilla director of security assurance Michael Coates wrote in a blog post. "We are also concerned that the private keys for these certificates were not kept as secure as would be expected for intermediate certificates."

As usual, users of all browsers are advised to make sure they are up to date with the latest security fixes, although some browsers – such as Chrome – install such fixes automatically.

Coates added that any additional action regarding Turktrust would be discussed in the Mozilla Foundation's mozilla.dev.security.policy forum. ®

Secure remote control for conventional and virtual desktops

More from The Register

next story
Ice cream headache as black hat hacks sack Dairy Queen
I scream, you scream, we all scream 'DATA BREACH'!
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
Researchers camouflage haxxor traps with fake application traffic
Honeypots sweetened to resemble actual workloads, complete with 'secure' logins
Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
JLaw, Kate Upton exposed in celeb nude pics hack
100 women victimised as Apple iCloud accounts reportedly popped
New Snowden leak: How NSA shared 850-billion-plus metadata records
'Federated search' spaffed info all over Five Eyes chums
Three quarters of South Korea popped in online gaming raids
Records used to plunder game items, sold off to low lifes
Oz fed police in PDF redaction SNAFU
Give us your metadata, we'll publish your data
prev story

Whitepapers

Endpoint data privacy in the cloud is easier than you think
Innovations in encryption and storage resolve issues of data privacy and key requirements for companies to look for in a solution.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Advanced data protection for your virtualized environments
Find a natural fit for optimizing protection for the often resource-constrained data protection process found in virtual environments.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.