Google finds unauthorized certificate for google.com domain, scrambles to protect users
The company updated its Chrome browser and notified other browser makers about the problem
IDG News Service - Google has taken steps to close potential security holes created by a fraudulent certificate for its google.com domain, discovered in late December.
The certificate was erroneously issued by an intermediate certificate authority (CA) linking back to TurkTrust, a Turkish CA.
"Intermediate CA certificates carry the full authority of the CA, so anyone who has one can use it to create a certificate for any website they wish to impersonate," wrote Adam Langley, a Google software engineer, in a blog post Thursday.
Google detected the existence of the certificate on Christmas Eve, updated its Chrome browser the next day to block the intermediate CA and notified TurkTrust and other browser makers about the problem.
TurkTrust then conducted its own investigation and found out that in August 2011 it had mistakenly issued two intermediate CA certificates to organizations that should have instead received regular SSL certificates, according to Langley.
Google then updated Chrome again to block the second CA certificate and again notified other browser vendors.
"Our actions addressed the immediate problem for our users. Given the severity of the situation, we will update Chrome again in January to no longer indicate Extended Validation status for certificates issued by TurkTrust, though connections to TurkTrust-validated HTTPS servers may continue to be allowed," Langley wrote.
Google may take additional steps in reaction to this issue, he added.
A Google spokesman said via e-mail that although TurkTrust mistakenly issued two intermediate certificates, only one was used to generate an unauthorized certificate.
"We believe there was one case of the certificate being used internally on a company's network," the spokesman said.
The incident is "a really big deal," said Chester Wisniewski, a senior security advisor at Sophos, a security software vendor.
"Essentially what happened is that the certificate authority in Turkey gave the master keys to everybody's web browser to some random company by accident and it turned out it was later abused," he said.
Meanwhile, both Microsoft and Mozilla have issued their own alerts about the problem.
In a security advisory, Microsoft said it was aware of "active attacks" being carried out using the digital certificate.
"This fraudulent certificate could be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks against several Google web properties," the Microsoft alert said.
To protect Windows users, Microsoft has updated its Certificate Trust List (CTL) and is pushing out the new version to all supported releases of the OS.
Users whose systems are set up to receive automatic updates of revoked certificates don't need to do anything because their computers will be updated automatically. Other users are advised to implement this patch immediately.
In its blog post, Mozilla provided more information about the malicious use of the certificate, saying it was employed in a man-in-the-middle attack.
"We are also concerned that the private keys for these certificates were not kept as secure as would be expected for intermediate certificates," wrote Michael Coates, Mozilla's Director of Security Assurance, in the blog post.
Mozilla will update all supported versions of Firefox on Tuesday so that the browser will not accept the two fraudulent certificates.
Juan Carlos Perez covers enterprise communication/collaboration suites, operating systems, browsers and general technology breaking news for The IDG News Service. Follow Juan on Twitter at @JuanCPerezIDG.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts