Google on Thursday disclosed information about two fraudulent digital certificates, one of which was used to issue an unauthorized Google.com certificate, saying it has blocked them and notified other browser vendors to do the same. Microsoft also announced it has removed the trust of the certificates in question and Mozilla has confirmed revoking trust as well.
Before we dive into the details, here’s some background. A digital certificate is an electronic document used as a digital signature to bind a public key with an identity (in this case Google) to verify that a public key belongs to it.
Google says that late on Christmas Eve, Chrome detected and blocked an unauthorized Google.com certificate, which led the company to investigate and find it was issued by an intermediate certificate authority (CA) linking back to TurkTrust. On Christmas Day, Google updated Chrome’s certificate revocation metadata to block that intermediate CA, and then alerted TurkTrust and other browser vendors.
The Turkish certificate authority found that in August 2011 it had mistakenly issued two intermediate CA certificates to organizations that should have instead received regular SSL certificates. As such, Google again pushed a Chrome metadata update on December 26 and once again informed other browser vendors.
It appears that although TurkTrust mistakenly issued two intermediate certificates, only one was used to generate an unauthorized certificate (for Google.com). Microsoft gave a bit more detail on the two fake certificates:
TurkTrust Inc. incorrectly created two subsidiary Certificate Authorities: (*.EGO.GOV.TR and e-islam.kktcmerkezbankasi.org). The *.EGO.GOV.TR subsidiary CA was then used to issue a fraudulent digital certificate to *.google.com.
As Google correctly notes, since intermediate CA certificates carry the full authority of the CA, they can be used to create a certificate for any website they wish to impersonate. As such, the company has decided to update Chrome again in January to no longer indicate Extended Validation status for certificates issued by TurkTrust, though it says connections to TurkTrust-validated HTTPS servers may continue to be allowed.
In the meantime, Microsoft today released Security Advisory 2798897 in which the company says it is aware of active attacks using the two certificates issued by TurkTrust. Microsoft has also updated its Certificate Trust List (CTL) to remove the trust of the two certificates.
Microsoft notes that Windows Vista users and above who installed the CTL feature released in June are safe. Windows XP and Windows Server 2003 users, however, as well as those who didn’t install CTL, are being urged to download and install the latest version as soon as possible.
Finally, Mozilla has announced it is actively revoking trust for the two certificates. The company is planning to release an update to all supported versions of Firefox on January 8.
Mozilla said it is concerned that at least one of the intermediate certificates was used for man-in-the-middle (MITM) traffic management of domain names and that the private keys for these certificates were not kept secure. The company offered more details:
An intermediate certificate that is used for MITM allows the holder of the certificate to decrypt and monitor communication within their network between the user and any website. Additionally, If the private key to one of the mis-issued intermediate certificates was compromised, then an attacker could use it to create SSL certificates containing domain names or IP addresses that the certificate holder does not legitimately own or control. An attacker armed with a fraudulent SSL certificate and an ability to control their victim’s network could impersonate websites in a way that would be undetectable to most users. Such certificates could deceive users into trusting websites appearing to originate from the domain owners, but actually containing malicious content or software.
In other words, someone could have accessed sensitive data that users thought they were safely sending to Google.com.
Both Google and Mozilla will be updating their browsers next week. We will keep you posted when they do.
See also – Adobe finds a code-signing server has been hacked; plans to revoke the certificate on October 4th
Image credit: Milda K