Fake Turkish site certs create threat of bogus Google sites

After a Turkish Internet certificate authority "mistakenly" issues two unauthorized e-documents used to verify Web site authenticity, another organization creates a fraudulent certificate that could let it impersonate various Google sites. Browser makers have responded.

Seth Rosenblatt Former Senior Writer / News
Senior writer Seth Rosenblatt covered Google and security for CNET News, with occasional forays into tech and pop culture. Formerly a CNET Reviews senior editor for software, he has written about nearly every category of software and app available.
Seth Rosenblatt
2 min read

Google and Microsoft revealed today that a certificate authority based in Turkey "mistakenly" issued security certificates last month, and that a recipient of one of the e-documents in turn created a bogus certificate that could let it impersonate various Google sites.

According to a blog post by Google engineer Adam Langley, Chrome detected and blocked an unauthorized security certificate for the domain "*.google.com" on December 24. After blocking the certificate, Langley said, Google investigated and determined the certificate came from an intermediate certificate authority that linked back to the Turkish certificate authority TurkTrust.

Fraudulent certificates -- or e-documents used to verify Web site authenticity -- are no joke, since they can be used to perform phishing attacks, man-in-the-middle attacks, or to spoof content.

After Google warned TurkTrust and other browser vendors, TurkTrust reported that it had mistakenly issued two intermediate certificates in August 2011 to organizations that should have received standard SSL certificates.

Microsoft wrote in its concurrent security advisory blog post that it has also blocked certificates from TurkTrust. "TurkTrust incorrectly created two subsidiary Certificate Authorities: (*.EGO.GOV.TR and e-islam.kktcmerkezbankasi.org). The *.EGO.GOV.TR subsidiary CA was then used to issue a fraudulent digital certificate to *.google.com," the company wrote.

People using Windows Vista or newer won't have to take any action, Microsoft said, as long as they have installed the Certificate Trust List from last June. Windows 8, Windows RT, Windows Server 2012, and devices running Windows Phone 8 will be automatically protected.

Langley added that Google's actions last month fixed the immediate security problem for Chrome users, but that the company will update the browser again in January to remove Extended Validation status for TurkTrust-issued certificates.

He finished by warning that it's possible Google "may also decide to take additional action after further discussion and careful consideration."

Mozilla has revoked trust for the two TurkTrust certificates and has suspended inclusion of the TurkTrust root certificate, pending further review.