All the latest UK technology news, reviews and analysis


Browser makers scramble after certificate blunder leads to Google attack

04 Jan 2013
Google logo

Browser makers have scrambled to release fixes to cover a security blunder that enabled attackers to create seemingly legitimate Google web pages, enabling the crooks to spy on the communications being exchanged.

Google was the first to notice something amiss, when it detected and blocked an unauthorised digital certificate for the “*.google.com” domain on Christmas Eve.

“We investigated immediately and found the certificate was issued by an intermediate certificate authority (CA) linking back to Turktrust, a Turkish certificate authority,” wrote Adam Langley, a Google software engineer on its security blog.

Subsequent checks by Turktrust revealed it had mistakenly issued two intermediate CA certificates to organisations that should have only received regular SSL certificates. An intermediary CA certificate can be used to create a certificate for any website – in this case ones related to Google – and should only be issued to a highly restricted number of organisations.

According to Chester Wisniewski, a senior security advisor at Sophos, one of the erroneously issued certificates was then used to create a man-in-the-middle attack to spy of secure communications intended for Google

“We don't know where this occurred, but it doesn't technically matter very much. This means a Certificate Authority either issued certificates to someone who shouldn't have them or was compromised,” he wrote on a company blog.

“What I think it means is what I've said before: we can't trust the current Certificate Authority based SSL/TLS system. It is broken and I do not believe it can be easily fixed.”

Having being alerted to the problem, Google issued an update for Chrome users blocking the intermediate CA, and alerted other browser makers.

Microsoft and Mozilla have both subsequently issued updates revoking the trust in the certificates.

Joshua Dennis, chief security and operating officer for Wired Nation, told V3 that the high-profile of Google's properties only increases the danger of the situation.

"Having fraudulent Google certificates out there, assuming they are out there, would have major implications because Google has their hands in so many systems:, advertising, email, cell phones, data storage through Google Drive, You Tube, etc," he said.

Dennis reiterated the call to overhaul the SSL system with a more secure replacement.

"It is a major concern that an intermediate authority was able to have the right to create a certificate for Google’s domains, but that is part of the broken system of certificates," he explained.

Digital certificates were supposed to secure web communication, providing a mechanism for browsers to verify the sites they were communicating with were authentic.

But a number of problems have emerged, with attackers stealing certificates. In 2011, Dutch certificate authority DigiNotar was crippled after it emerged a security breach had resulted in it issuing bogus SSL certificates.

  • Comment  
  • Tweet  
  • Google plus  
  • Facebook  
  • LinkedIn  
  • Stumble Upon  
More on Security
What do you think?
blog comments powered by Disqus
Poll

Microsoft Azure outage

Is cloud computing reliable enough for business yet?
12%
5%
15%
68%

Popular Threads

Powered by Disqus
iPhone 6 is available in silver gold and space grey

iPhone 6 video review

The best iOS handset to date

Updating your subscription status Loading
Newsletters

Get the latest news (daily or weekly) direct to your inbox with V3 newsletters.

newsletter sign-up button
hpv3may

Getting started with virtualisation

Virtualisation can help you reduce costs, improve application availability, and simplify IT
management. However, getting started can be challenging

ibmv3may

Converting big data and analytics insights into results

Successful leaders are infusing analytics throughout their organisations to drive smarter decisions, enable faster actions and optimise outcomes

Journey Performance Consultant

My client are one of the largest financial organisations...

UX Designer

The Uk's fastest growing eCommerce organisation are looking...

Senior Consultant - Storage & Data Management

A Senior Consultant - Storage & Data Management is...

Agile Lead/SCRUM Master

The UK's leading betting and gaming organisation are...

To send to more than one email address, simply separate each address with a comma.