Turkish Digital Certificate Blunder Caused by Government Agency
An unauthorized digital certificate issued for search specialist Google has been used for rogue purposes since August 2011, violating digital trust and key public infrastructure. This impersonation attack was not, however, carried out by hackers, but by a government agency trying to spy on its own employees.
On December 24, Google found an unauthorized digital certificate was being used to validate rogue web pages as legit services provided by Google, including validation for Google Mail and Google Search.
According to Google, the issue comes from an Ankara-based agency called EGO which applied for a SSL certificate, but was granted by TURKTRUST two intermediate CA certificates instead. This allowed EGO to issue valid digital certificates for virtually ANY company on earth. A valid digital certificate would allow a malicious party to carry out the man-in-the middle attack: intercept SSL traffic, decrypt and read it, then re-encrypt it and send it to the end-user. Since it is encrypted with a valid digital certificate issued for the specific target, there would be no sign of a real-time attack.
The issue was undetected for months, and the company only learned about the abuse after its own browser – Chrome – prompted that it encountered a valid certificate for Google that was obviously different from what Google used.
“In response, we updated Chrome’s certificate revocation metadata on December 25 to block that intermediate CA, and then alerted TURKTRUST and other browser vendors [...] On December 26, we pushed another Chrome metadata update to block the second mistaken CA certificate and informed the other browser vendors,” wrote software engineer Adam Langley on the company blog.
In addition, other major browsers such as Firefox and Internet Explorer have received updates to block certificates issues by the intermediary certificate authority.
Digital trust is a key component to regulate certain security aspects, from securing communication via SSL to code running at the lowest levels of the operating system. It relies on certificate authorities and their partners taking all precautions to properly control the issuing process for certificates. A simple flaw can have disastrous consequences, such as massive interception of user communication or the creation of state-of-the-art malware such as Stuxnet.