Security

Misstep could have led to fake Google site, man-in-the-middle attacks

Google got an early lump of coal on Christmas Eve when the company discovered “an unauthorized digital certificate for the ‘*.google.com’ domain.” This means someone out there was trying to pretend to be Google.

Google was able to follow the falsified certificate back to Turktrust, an organization that issues digital certificates in Turkey. Digital certificates show you and the website you’re accessing that you can trust each other. When you access Google, you’re supposed to trust that it is Google. If your certificate is fake, however, you don’t know whose website you’re actually accessing.

After Google got in touch, the certificate company realized that it had wrongly given out two “intermediate certificate authorities” in August 2011. As Google explains in a blog post, “Intermediate CA certificates carry the full authority of the CA, so anyone who has one can use it to create a certificate for any website they wish to impersonate.”

Because of this, both Google’s Chrome browser and now Mozilla’s Firefox will no longer “trust” certificates form Turktrust. Microsoft has also followed suit¬†and gone so far as to identify the two organizations that received the intermediate certificate authorities. They are *.EGO.GOV.TR and e-islem.kktcmerkezbankasi.org.

“The *.EGO.GOV.TR subsidiary CA was then used to issue a fraudulent digital certificate to *.google.com,” said Microsoft in a blog post. “This fraudulent certificate could be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks against several Google web properties.”

hat tip Wired; Google image via Robert Scoble/Flickr