Browser makers scramble after certificate blunder leads to Google attack

Browser makers have scrambled to release fixes to cover a security blunder that enabled attackers to create seemingly legitimate Google web pages, enabling the crooks to spy on the communications being exchanged.

Google was the first to notice something amiss, when it detected and blocked an unauthorised digital certificate for the “*.google.com” domain on Christmas Eve.

“We investigated immediately and found the certificate was issued by an intermediate certificate authority (CA) linking back to Turktrust, a Turkish certificate authority,” wrote Adam Langley, a Google software engineer on its security blog.

Subsequent checks by Turktrust revealed it had mistakenly issued two intermediate CA certificates to organisations that should have only received regular SSL certificates. An intermediary CA certificate can be used to create a certificate for any website – in this case ones related to Google – and should only be issued to a highly restricted number of organisations.

According to Chester Wisniewski, a senior security advisor at Sophos, one of the erroneously issued certificates was then used to create a man-in-the-middle attack to spy of secure communications intended for Google. 

“We don't know where this occurred, but it doesn't technically matter very much. This means a Certificate Authority either issued certificates to someone who shouldn't have them or was compromised,” he wrote on a company blog.

“What I think it means is what I've said before: we can't trust the current Certificate Authority based SSL/TLS system. It is broken and I do not believe it can be easily fixed.”

Having being alerted to the problem, Google issued an update for Chrome users blocking the intermediate CA, and alerted other browser makers.

Microsoft and Mozilla have both subsequently issued updates revoking the trust in the certificates.

Joshua Dennis, chief security and operating officer for Wired Nation, told V3 that the high-profile of Google's properties only increases the danger of the situation.

"Having fraudulent Google certificates out there, assuming they are out there, would have major implications because Google has their hands in so many systems:, advertising, email, cell phones, data storage through Google Drive, You Tube, etc," he said.

Dennis reiterated the call to overhaul the SSL system with a more secure replacement.

"It is a major concern that an intermediate authority was able to have the right to create a certificate for Google’s domains, but that is part of the broken system of certificates," he explained.

Digital certificates were supposed to secure web communication, providing a mechanism for browsers to verify the sites they were communicating with were authentic.

But a number of problems have emerged, with attackers stealing certificates. In 2011, Dutch certificate authority DigiNotar was crippled after it emerged a security breach had resulted in it issuing bogus SSL certificates.