Google and Microsoft today began warning users about active phishing attacks against Google’s online properties. The two companies said the attacks resulted from a fraudulent digital certificate that was mistakenly issued by a Turkish domain registrar.
In a blog post published today, Google said that on Dec. 24, 2012, its Chrome Web browser detected and blocked an unauthorized digital certificate for the “*.google.com” domain.
“We investigated immediately and found the certificate was issued by an intermediate certificate authority (CA) linking back to TURKTRUST, a Turkish certificate authority,” wrote Adam Langley, a Google software engineer. “Intermediate CA certificates carry the full authority of the CA, so anyone who has one can use it to create a certificate for any website they wish to impersonate.”
Langley said that Google responded by Chrome on December 25 to block that intermediate CA, and then alerted TURKTRUST and other browser vendors. “TURKTRUST told us that based on our information, they discovered that in August 2011 they had mistakenly issued two intermediate CA certificates to organizations that should have instead received regular SSL certificates. On December 26, we pushed another Chrome metadata update to block the second mistaken CA certificate and informed the other browser vendors.”
Separately, Microsoft has issued an advisory with a bit more detail, saying it is aware of active attacks using one of the fraudulent digital certificates issued by TURKTRUST Inc.
“This fraudulent certificate could be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks. This issue affects all supported releases of Microsoft Windows,” the software giant warned.
According to Microsoft, TURKTRUST Inc. incorrectly created two subsidiary CAs (*.EGO.GOV.TR and e-islem.kktcmerkezbankasi.org). The *.EGO.GOV.TR subsidiary CA was then used to issue a fraudulent digital certificate to *.google.com. This fraudulent certificate could be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks against several Google web properties.” [link added]
It’s not clear yet whether this was an attack against Turkish residents, or if the targets were more widespread geographically. The domain that Microsoft mentioned in its advisory — kktcmerkezbankasi.org — is not resolving at the moment. But according to a screen shot of the domain’s home page taken by Domaintools.com on March 14, 2012 (see image above), the site represented itself as the Central Bank of the Turkish Republic of Northern Cyprus (TRNC), a financial institution established in Northern Cyprus in 1983.
In any case, compromises like this one can lead to colossal security failures. An attacker with certificate authority signing ability can sign certificates for virtually any domain. The TURKTRUST incident harkens back to another similar compromise that happened around the same timeframe. In September 2011, Dutch certificate authority Diginotar learned that a security breach at the firm had resulted in the fraudulent issuing of certificates. A follow-up investigation suggested that the attacker who penetrated the Dutch CA DigiNotar last year had complete control of all eight of the company’s certificate-issuing servers during the operation and he may also have issued some rogue certificates that have not yet been identified. Diginotar later declared bankruptcy.
Microsoft has pushed out an update that addresses this weakness and removes the fraudulent certificates from the list of trusted certs in Windows. According to Microsoft, the update should be automatically deployed to users on Windows 8, Windows RT, Windows Server 2012 and devices running Windows Phone 8. An automatic updater of revoked certificates is available for Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2, from this link. Windows XP and Windows Server 2003 customers can grab the update via Microsoft Update (it’s not immediately clear from Microsoft’s advisory whether users of other Windows versions can obtain the update from Microsoft Update as well).
Update, 3:57 p.m. ET:A previous version of this story incorrectly named TURKTRUST as an institution run by the Turkish government. The above copy has been corrected.
Update, 4:16 p.m. ET: Firefox browser maker Mozilla just published a blog post noting that it, too, was revoking the fraudulent certs.