Google on Thursday said that late on Christmas Eve, they detected and blocked an unauthorized digital certificate created for the “*.google.com” domain that had been issued by an intermediate certificate authority (CA) which linked back to Turkish certificate authority, TURKTRUST.
Google has since updated Chrome’s certificate revocation metadata to block the intermediate CA, and said they have alerted TURKTRUST and other browser vendors of the issue.
“TURKTRUST told us that based on our information, they discovered that in August 2011 they had mistakenly issued two intermediate CA certificates to organizations that should have instead received regular SSL certificates,” Adam Langley, Software Engineer at Google wrote in a blog post on Thursday.
“Given the severity of the situation, we will update Chrome again in January to no longer indicate Extended Validation status for certificates issued by TURKTRUST, though connections to TURKTRUST-validated HTTPS servers may continue to be allowed,” Langley added.
Microsoft on Thursday also issued a security advisory on the incident and took measures to protect customers, saying they would update the Certificate Trust list (CTL) and provide an update for all supported releases of Microsoft Windows to remove the trust of certificates in question.
“Microsoft is aware of active attacks using one fraudulent digital certificate issued by TURKTRUST Inc., which is a CA present in the Trusted Root Certification Authorities Store,” the advisory notes.
Because Intermediate CA certificates have the full authority of the CA, an attacker could use it to create a certificate for any website they want to impersonate.
“The fraudulent certificate could be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks against several Google web properties,” Microsoft’s advisory continued.
The issue affects all supported releases of Microsoft Windows.
According to Microsoft, TURKTRUST incorrectly created two subsidiary CAs (*.EGO.GOV.TR and e-islam.kktcmerkezbankasi.org), of which *.EGO.GOV.TR was used to issue a fraudulent digital certificate to google.com.
For mitigation, Microsoft said that for systems using the automatic updater of revoked certificates (including Windows 8, Windows RT, Windows Server 2012), no action is needed by end users, as the systems will be automatically protected.
“For Windows XP and Windows Server 2003 customers or customers who choose not to install the automatic updater of revoked certificates, Microsoft recommends that the 2798897 update be applied immediately using update management software, by checking for updates using the Microsoft Update service, or by downloading and applying the update manually,” the advisory notes.
Mozilla is also addressing the issue and said Thursday that was revoking trust for the two certificates.
“We are concerned that at least one of the mis-issued intermediate certificates was used for man-in-the-middle (MITM) traffic management of domain names that the customer did not legitimately own or control,” Michael Coates, Director of Security Assurance at Mozilla wrote in a blog post Thursday. “We are also concerned that the private keys for these certificates were not kept as secure as would be expected for intermediate certificates.”
“Mozilla is actively revoking trust for the two mis-issued certificates which will be released to all supported versions of Firefox in the next update on Tuesday 8th January,” Coates said. “We have also suspended inclusion of the “TÜRKTRUST Bilgi İletişim ve Bilişim Güvenliği Hizmetleri A.Ş. (c) Aralık 2007” root certificate, pending further review.”
Google said that it may also take additional action after looking into the issue further.
“The TURKTRUST situation is further evidence that cyber criminals are using their attacks on certificate authorities (CAs) to perpetrate man-in-the-middle and phishing attacks,” Jeff Hudson, CEO of Venafi told SecurityWeek via email.
“Enterprises need to recognize that certificate-based attacks are no longer hypothetical and have become a preferred attack vector. Every organization needs to be prepare for this inevitable fact of IT security life,” Husdon, who is a regular SecurityWeek columnist, continued. “Recent guidance from NIST provides the clear roadmap for organizations to prepare for an attack on their internal or external CAs and how to respond. These attacks demand a response within minutes, otherwise any enterprise from a bank to retailer to manufacturer is vulnerable to costly breaches and brand damage.”
“The fact that the Intermediate CA certificate used to launch the attack carries the full authority of the CA it is linked to and can be used to impersonate any entity is just another example of how every organization must be prepared,” Hudson added. “CAs must recognize the drastic implications of mistakenly issuing a certificate and there must be steps taken by the industry to prevent such security lapses.”