January 4, 2013
Certificate Authority Issues Lead Hackers To Impersonate Google
Lee Rannals for redOrbit.com — Your Universe Online
Google wrote in a blog post titled "Enhancing digital certificate security" that it first detected the problem using Chrome's certificate pinning on December 24th.
Criminals used fake credentials to create a website that claimed to be part of the Google+ social media network. They were able to exploit ID credentials that browsers use to ensure a website is who it claims to be.
Turkish security firm TurkTrust revealed through an investigation that it accidentally issued the wrong type of security credential, which is a type of form of ID known as an intermediate certificate. Instead of issuing low level certificates, it gave out two "master keys" that are only given to owners of websites.
"These certificates could be used to impersonate any website to any browser without the end user being alerted that anything is wrong," security analyst Chester Wisniewski from Sophos wrote in a blog post.
Wisniewski said the certificates are important because secure use of web shops and other services need interaction between the master keys and lower level security credentials.
"Given the severity of the situation, we will update Chrome again in January to no longer indicate Extended Validation status for certificates issued by TurkTrust, though connections to TurkTrust-validated HTTPS servers may continue to be allowed," Google software engineer Adam Langley wrote in a blog post.
Microsoft said it would be updating the Certificate Trust list, and is also going to provide a Windows update to remove the trust of the fake certificates.
Back in 2011, another fake certificate allowed hackers to steal passwords and data from Google sites for nearly two months before it was blocked.
"What I think it means is what I've said before: we can't trust the current Certificate Authority based SSL/TLS system. It is broken and I do not believe it can be easily fixed," Wisniewski wrote.
"It is really time we move on from this 20-year-old, poorly implemented system," he added. "Whether it is the Public Key Pinning Extension for HTTP, Convergence, Trusted Assertions for Certificate Keys (TACK) or DNSSEC-TLS, we've got to pick something and start implementing it."