Feeds

Browser makers rush to block fake Google.com security cert

Turkish authority's goof could compromise data

Boost IT visibility and business value

Google and other browser vendors have taken steps to block an unauthorized digital certificate for the " *.google.com" domain that fraudsters could have used to impersonate the search giant's online services.

According to a blog post by software engineer Adam Langley, Google's Chrome team first discovered a site using the fraudulent certificate on Christmas Eve. Upon investigation, they were able to trace the phony credential back to Turkish certificate authority Turktrust, which quickly owned up to the problem.

It seems that in August 2011, Turktrust mistakenly issued two intermediate certificates to one of its customers, instead of the ordinary SSL certificates it should have issued. It was one of these more trusted certificates that allowed the customer to generate the fake " *.google.com" certificate, unbeknownst to Turktrust or Google.

Armed with such a certificate, attackers can potentially create fraudulent websites that pose as Google websites, which can then be used to spoof content, launch phishing attacks, or perform man-in-the-middle attacks to intercept data from Google services.

Such attacks would be more insidious than your garden-variety online fraud because the spoofed certificate would cause users' browsers to report the fake sites as genuine.

According to Turktrust's own website, "Turktrust is the one and only local enterprise in Turkey that is recognized by Microsoft (Internet Explorer), Mozilla (Firefox), Opera and Safari web browsers and whose SSL server certificates are valid throughout the world."

That status could be in jeopardy, however, because the only solution to the spoofed-certificate problem, now that the cat is out of the bag, is to revoke the authority of some or all certificates issued by Turktrust.

On Thursday, Google's Langley said that the search giant has already updated the certificate-revocation metadata of its Chrome browser to invalidate both of Turktrust's wrongly-issued intermediate certificates – one on Christmas Day and the other the day after – and that further actions are forthcoming.

"Given the severity of the situation, we will update Chrome again in January to no longer indicate Extended Validation status for certificates issued by Turktrust, though connections to Turktrust-validated HTTPS servers may continue to be allowed," Langley wrote.

In a separate security advisory, Microsoft said it had similarly updated the Certificate Trust List to revoke the authority of the problem certificates for all supported versions of Windows, which currently means Windows XP Service Pack 3 and later.

But the Mozilla Foundation went even further, not merely revoking the two certificates, but also suspending inclusion of Turktrust's root certificate with the Firefox browser "pending further review."

"We are concerned that at least one of the mis-issued intermediate certificates was used for man-in-the-middle (MITM) traffic management of domain names that the customer did not legitimately own or control," Mozilla director of security assurance Michael Coates wrote in a blog post. "We are also concerned that the private keys for these certificates were not kept as secure as would be expected for intermediate certificates."

As usual, users of all browsers are advised to make sure they are up to date with the latest security fixes, although some browsers – such as Chrome – install such fixes automatically.

Coates added that any additional action regarding Turktrust would be discussed in the Mozilla Foundation's mozilla.dev.security.policy forum. ®

Gartner critical capabilities for enterprise endpoint backup

More from The Register

next story
Microsoft: We plan to CLEAN UP this here Windows Store town
Paid-for apps that provide free downloads? Really
Snowden on NSA's MonsterMind TERROR: It may trigger cyberwar
Plus: Syria's internet going down? That was a US cock-up
Who needs hackers? 'Password1' opens a third of all biz doors
GPU-powered pen test yields more bad news about defences and passwords
e-Borders fiasco: Brits stung for £224m after US IT giant sues UK govt
Defeat to Raytheon branded 'catastrophic result'
Hear ye, young cyber warriors of the realm: GCHQ wants you
Get involved, get a job and then never discuss work ever again
Chinese hackers spied on investigators of Flight MH370 - report
Classified data on flight's disappearance pinched
Microsoft cries UNINSTALL in the wake of Blue Screens of Death™
Cache crash causes contained choloric calamity
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
7 Elements of Radically Simple OS Migration
Avoid the typical headaches of OS migration during your next project by learning about 7 elements of radically simple OS migration.
BYOD's dark side: Data protection
An endpoint data protection solution that adds value to the user and the organization so it can protect itself from data loss as well as leverage corporate data.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?