Browser vendors block 'active attacks' using fraudulent digital cert

Microsoft joined Google and Mozilla in withdrawing the trust of digital certificates used in man-in-the-middle/spoofing attacks against the * domain.


Microsoft, Google and Mozilla separately nuked the trust of digital certificates issued by a Turkish certificate authority after spotting man-in-the-middle/spoofing attacks against the domain.

In a security advisory, Microsoft said it was aware of "active attacks" using a fraudulent digital certificate issued by TURKTRUST Inc., which is a CA present in the Trusted Root Certification Authorities Store of all the major web browsers.

The severity of the issue was heightened when TURKTRUST confirmed it incorrectly created two subsidiary CA for the Turkish government (*.EGO.GOV.TR and  The two intermediate CAs were issued since Auguest 2011.

"The *.EGO.GOV.TR subsidiary CA was then used to issue a fraudulent digital certificate to * This fraudulent certificate could be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks against several Google web properties," Microsoft warned.

In a separate warning, Google said its Chrome browser detected and  blocked an unauthorized digital certificate for the "*" domain.

"We investigated immediately and found the certificate was issued by an intermediate certificate authority (CA) linking back to TURKTRUST, a Turkish certificate authority. Intermediate CA certificates carry the full authority of the CA, so anyone who has one can use it to create a certificate for any website they wish to impersonate," the company said.

Google has since updated Chrome’s certificate revocation metadata to block that intermediate CA.   Given the severity of this ussue, Google plans to update Chrome again in January to no longer indicate Extended Validation status for certificates issued by TURKTRUST.

Mozilla also joined the other browser vendors in addressing this problem.  Mozilla director of security assurance Michael Coates said the open-source group will revoke the trust for the two mis-issued certificates in the next Firefox update due on Tuesday 8th January.