Browser vendors block 'active attacks' using fraudulent digital cert

Summary:Microsoft joined Google and Mozilla in withdrawing the trust of digital certificates used in man-in-the-middle/spoofing attacks against the *google.com domain.

browsers

Microsoft, Google and Mozilla separately nuked the trust of digital certificates issued by a Turkish certificate authority after spotting man-in-the-middle/spoofing attacks against the Google.com domain.

In a security advisory, Microsoft said it was aware of "active attacks" using a fraudulent digital certificate issued by TURKTRUST Inc., which is a CA present in the Trusted Root Certification Authorities Store of all the major web browsers.

The severity of the issue was heightened when TURKTRUST confirmed it incorrectly created two subsidiary CA for the Turkish government (*.EGO.GOV.TR and e-islem.kktcmerkezbankasi.org).  The two intermediate CAs were issued since Auguest 2011.

"The *.EGO.GOV.TR subsidiary CA was then used to issue a fraudulent digital certificate to *.google.com. This fraudulent certificate could be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks against several Google web properties," Microsoft warned.

In a separate warning, Google said its Chrome browser detected and  blocked an unauthorized digital certificate for the "*.google.com" domain.

"We investigated immediately and found the certificate was issued by an intermediate certificate authority (CA) linking back to TURKTRUST, a Turkish certificate authority. Intermediate CA certificates carry the full authority of the CA, so anyone who has one can use it to create a certificate for any website they wish to impersonate," the company said.

Google has since updated Chrome’s certificate revocation metadata to block that intermediate CA.   Given the severity of this ussue, Google plans to update Chrome again in January to no longer indicate Extended Validation status for certificates issued by TURKTRUST.

Mozilla also joined the other browser vendors in addressing this problem.  Mozilla director of security assurance Michael Coates said the open-source group will revoke the trust for the two mis-issued certificates in the next Firefox update due on Tuesday 8th January. 

Topics: Security

About

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content managem... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.