Fake SSL certificates pirate Web sites

It used to be you knew you could trust a Web site when your Web browser securely connects to it with a valid HTTPS connection. Now, that's trust has been shaken.
Written by Steven Vaughan-Nichols, Senior Contributing Editor

There's never much you could really trust in computer security, but you could usually put your faith in a Hypertext Transfer Protocol Secure (HTTPS) connection being secure. The combination of the Web's HTTP and security provided by the Transport Layer Security (TLS) or Secure Sockets Layer (SSL) protocols was a gold standard of Internet security. Oh well, it was nice while it lasted. Now we need to be wary of those as well thanks to DigiNotar, a Dutch Certificate Authority (CA), being cracked and then issuing fake SSL certificates.

Here's how this newest network security fiasco came about. DigiNotar was cracked on August 28th by a Farsi speaking cracker, probably from Iran. Once in, he was able  to issue public key certificates for numerous legitimate sites, such as Google and Microsoft to various malicious ISPs.

So, what did that mean for users? Say you were in Tehran and you wanted to check your Gmail account. If you log into your account, and your ISP has been corrupted or is in on the SSL certificate fraud, it would look like you have a normal secure connection to Gmail. Wrong.

According to Google what actually happened was that you've been caught in an SSL man-in-the-middle (MITM) attacks. Armed with the fake SSL certificate, the crackers--perhaps the Iranian government--could watch and read your e-mail traffic go back and forth between your computer and Google, and many other Web sites, services.

It works like this. Web servers and browsers rely on SSL or TLS to create an encrypted channel for private communications over the Internet. Each SSL Certificate consists of a public key and a private key. The public key is used to encrypt information and the private key is used to decipher it. When a Web browser points to a secured domain, an encrypted connection is established based on the type of SSL Certificate; the client Web browser; operating system; and Web server's capabilities.

Typically a HTTPS connection uses 128 to 256-bit encryption. While that's breakable, it's beyond the capabilities of most crackers. If someone gets a fraudulent SSL certificate, though, your traffic will go back and forth, apparently as normal, but actually every byte you send and receive using the fake certificate can be read by the man-in-the-middle cracker.

While some Web browsers, like Chrome, were still able to catch that there was something wrong and warned users that there was something fishy about their connection, others were not so lucky. By early on Sunday, though, Google, Mozilla and Microsoft had all caught on to what was going in and had banned the fake DigiNotar certificates in their browsers.

To make doubly sure, Microsoft today, September 6th, has banned the use of all SSL certificates from DigiNotar. While Microsoft has been able to make that stick with modern versions of Windows, it's still possible for Windows XP and Windows Server 2003 users to connect through a falsely secured connection. Microsoft states they'll be issuing a patch soon. In the meantime, if I were you, I'd use Google's Chrome Web browser and not use Windows Update until this problem is nailed down once and for all.

UPDATE September 7th.: Microsoft has issued its updated CA list for XP and 2003. Update your systems now.

This, let me point out, is not a Windows, Mac OS X, or Linux problem. It's not even a browser problem per se. It's a problem with a trusted Internet source being compromised and everyone else potentially paying the price. The problem behind the browser security problem is that it's now been shown that what had been a heretofore trustworthy CA can be hacked. For those of us who are seriously concerned about security, that means we can no longer assume that even a HTTPS connection is probably secure. Wonderful. Just wonderful.

Related Stories:

Google, Mozilla and Microsoft ban the DigiNotar Certificate Authority in their browsers

Facebook, Google, CIA, MI6 targeted in Dutch government certificate hack

Twitter adds SSL security

Are your search engine queries being hijacked?

We're a long, long way from securing the Web with SSL/TLS

Editorial standards