All the latest UK technology news, reviews and analysis

Browser makers scramble after certificate blunder leads to Google attack

04 Jan 2013
Google logo

Browser makers have scrambled to release fixes to cover a security blunder that enabled attackers to create seemingly legitimate Google web pages, enabling the crooks to spy on the communications being exchanged.

Google was the first to notice something amiss, when it detected and blocked an unauthorised digital certificate for the “*” domain on Christmas Eve.

“We investigated immediately and found the certificate was issued by an intermediate certificate authority (CA) linking back to Turktrust, a Turkish certificate authority,” wrote Adam Langley, a Google software engineer on its security blog.

Subsequent checks by Turktrust revealed it had mistakenly issued two intermediate CA certificates to organisations that should have only received regular SSL certificates. An intermediary CA certificate can be used to create a certificate for any website – in this case ones related to Google – and should only be issued to a highly restricted number of organisations.

According to Chester Wisniewski, a senior security advisor at Sophos, one of the erroneously issued certificates was then used to create a man-in-the-middle attack to spy of secure communications intended for Google

“We don't know where this occurred, but it doesn't technically matter very much. This means a Certificate Authority either issued certificates to someone who shouldn't have them or was compromised,” he wrote on a company blog.

“What I think it means is what I've said before: we can't trust the current Certificate Authority based SSL/TLS system. It is broken and I do not believe it can be easily fixed.”

Having being alerted to the problem, Google issued an update for Chrome users blocking the intermediate CA, and alerted other browser makers.

Microsoft and Mozilla have both subsequently issued updates revoking the trust in the certificates.

Joshua Dennis, chief security and operating officer for Wired Nation, told V3 that the high-profile of Google's properties only increases the danger of the situation.

"Having fraudulent Google certificates out there, assuming they are out there, would have major implications because Google has their hands in so many systems:, advertising, email, cell phones, data storage through Google Drive, You Tube, etc," he said.

Dennis reiterated the call to overhaul the SSL system with a more secure replacement.

"It is a major concern that an intermediate authority was able to have the right to create a certificate for Google’s domains, but that is part of the broken system of certificates," he explained.

Digital certificates were supposed to secure web communication, providing a mechanism for browsers to verify the sites they were communicating with were authentic.

But a number of problems have emerged, with attackers stealing certificates. In 2011, Dutch certificate authority DigiNotar was crippled after it emerged a security breach had resulted in it issuing bogus SSL certificates.

  • Comment  
  • Tweet  
  • Google plus  
  • Facebook  
  • LinkedIn  
  • Stumble Upon  
More on Security
What do you think?
blog comments powered by Disqus

BYOD vs CYOD vs BYOC poll

Which approach is your firm taking to managing employees' mobile devices?

Popular Threads

Powered by Disqus
Sony Xperia Z2 Tablet powered by Android KitKat 4.4

Sony Xperia Z2 Tablet video

We take a look at the lightweight, waterproof tablet

Updating your subscription status Loading

Get the latest news (daily or weekly) direct to your inbox with V3 newsletters.

newsletter sign-up button

Data protection: the key challenges

Deduplication is a foundational technology for efficient backup and recovery


iPad makes its mark in the enterprise

The iPad can become a supercharged unified communications endpoint, allowing users to enhance their productivity

Senior IS Compliance Analyst (Risk Assessments) - Growing area

Senior IS Compliance Analyst / Risk Analyst (Risk Assessments...

Web Designer / UI Front End Developer - Opp in new department!

Web Designer / UI Front End Developer (HTML(5), CSS...

Senior Product Manager x2 (Online & Web Platform) - Global Org

Senior Product Manager x2 (Online, Software & Web...

Senior Web Developer / OO Software Engineer (Learn Ruby!)

Senior Web Developer / Software Engineer (Opportunity...
To send to more than one email address, simply separate each address with a comma.