Rogue Google SSL certificate not used for dishonest purposes, Turktrust says
The certificate authority said that it issued two intermediate CA certificates as a result of an error
IDG News Service - Turktrust, the Turkish certificate authority (CA) responsible for issuing an intermediate CA certificate that was later used to generate an unauthorized certificate for google.com, claims that the bad Google certificate was not used for dishonest purposes.
On Thursday, Google, Mozilla and Microsoft announced that they are blacklisting two intermediate CA certificates that were mistakenly issued by Turktrust in August 2011 for two of its customers who should have received normal end-entity certificates for their respective domain names.
An intermediate or subordinate CA (sub-CA) certificate inherits the trust given by browsers to the issuing CA and allows its owner to sign and create trusted SSL certificates for virtually any domain name on the Internet.
Turktrust's error was discovered after one of the mis-issued sub-CA certificates was used to sign a wildcard certificate for *.google.com without authorization from Google, the domain name owner. The rogue certificate was used on Dec. 24, 2012, in an attempt to inspect the encrypted communications of a Google Chrome user using a man-in-the-middle technique that consisted of re-encrypting the user's traffic en-route using the fraudulent certificate.
Because the Google Chrome browser contains a hardcoded list of legitimate Google certificates -- a feature called certificate pinning -- it is able to detect the use of unauthorized certificates and report the incidents back to Google.
In a statement published on its website, Turktrust explained that the mis-issuing of the two intermediate CA certificates was the result of an undetected certificate profile migration error between the company's testing and production systems. As a result, the production system used for certificate issuing ended up with two certificate profiles that contained CA extensions and were intended to be used only for testing purposes.
"The wrong profiles were only used on August 8, 2011 to issue those two faulty certificates which were certainly not intended to be sub-CA certificates," the company said.
The presence of the bad certificate profiles on the production system was detected a couple of days later and the error was corrected. However, the company failed to notice that two certificates with sub-CA status had been issued in the meantime.
According to Turktrust, the production system went through a successful audit by professional services company KPMG in November 2011 and was found compliant with the policy requirements for certification authorities that issue public key certificates, ETSI technical specification 102 042.
The company also claims to have implemented two additional verification procedures to prevent similar situations from happening in the future, one for checking various certificate characteristics during the certificate issuing process and one for checking already issued certificates before they are sent to customers.
- Silicon Valley's 19 Coolest Places to Work
- Is Windows 8 Development Worth the Trouble?
- 8 Books Every IT Leader Should Read This Year
- 10 Hot Hadoop Startups to Watch
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Infographic: Converged Infrastructure Benefits This Infographic quantifies the savings organizations are realizing from increased deployment speed, higher availability, and lower annual costs.
- CIOs Deliver Productivity Breakthroughs with Intelligent Digital Signage Retailers have long recognized the influence that digital signage provides over a shopper's point-of-purchase decision making process.
- Going Paperless? Here's What You Need to Think About As makers of some of the world's most popular PDF solutions, we often consult with businesses & governmental agencies that have the goal...
- The Big Data Opportunity for HR and Finance If CEOs, CFOs, CIOs, and CHROs want to drive their businesses forward, they will need to quickly recognize the enormous value of big...
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva.
- Top 4 Digital Signage Fails Join RMG Networks for a look at four of the most common reasons digital signage fails in corporate businesses. Learn about strategies to... All Data Security White Papers | Webcasts
Our new weekly Consumerization of IT newsletter covers a wide range of trends including BYOD, smartphones, tablets, MDM, cloud, social and what it all means for IT. Subscribe now and stay up to date!