Ankara government agency may have created fake certificate for Google services, tech firms warn
A Turkish government agency has been accused of creating a fake digital certificate – now revoked by Google, Microsoft and Mozilla – which would allow fake Google.com services that could be used in so-called man-in-the-middle phishing attacks.
Any body that can get its hands on an official certificate from a certificate authority (CA) can join the circle of trust relied upon in secure connections, and then abuse their position to spy on users. Certificates are handed to website owners, who use them to hand out public keys to users and validate who they are, so an encrypted session can be enabled.
Turkish certificate authority TURKTRUST admitted it had mistakenly handed out official certificates to two non-Google organisation – one of them being public transit agency EGO, based out of capital Ankara. It is unknown what, if anything, EGO did with the certificate, but Microsoft claims the body had created a fraudulent digital certificate for Google.com.
“This fraudulent certificate could be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks against several Google web properties,” Microsoft warned in its advisory.
TechWeekEurope contacted EGO for a response, but had not received any information at the time of publication.
The fake certificate may have been created some time ago, as TURKTRUST told Google it had handed out the certificates back in August 2011. The parties involved should have just received regular SSL certificates, not effectively been made subsidiary CAs.
Mozilla highlighted further security issues surrounding the safety of private keys. “We are concerned that at least one of the mis-issued intermediate certificates was used for man-in-the-middle (MITM) traffic management of domain names that the customer did not legitimately own or control. We are also concerned that the private keys for these certificates were not kept as secure as would be expected for intermediate certificates,” it wrote in its own advisory.
Major browser makers have now removed the certificate from their chains of trust. Google went one step further and has all but cut ties with TURKTRUST.
“Given the severity of the situation, we will update Chrome again in January to no longer indicate Extended Validation status for certificates issued by TURKTRUST, though connections to TURKTRUST-validated HTTPS servers may continue to be allowed,” it wrote in a blog post.
“Since our priority is the security and privacy of our users, we may also decide to take additional action after further discussion and careful consideration.”
The CA system as a whole has been lambasted in recent times, as it entirely relies on trusting root certificate authorities – those bodies who hand out the original certificate.
This trust has been undermined numerous times in the last two years. The most infamous case saw CA DigiNotar go bankrupt, after it had certificates stolen from it and then used to spy on Web users via man-in-the-middle attacks.
UPDATE: TURKTRUST has issued comment on its mistake. It said certain certificates that were being toyed with in testing environments for a new software deployment made their way into the production system.
It also said current evidence “strongly suggests that the *.google.com cert was not issued for dishonest purposes or has not been used for such a purpose”.
Yet TURKTRUST said a Turkish government employee loaded the certificate up to a firewall to catch email transactions. According to the Freedom to Tinker blog, this was most likely done to perform man-in-the-middle attacks on workers, rather than citizens.
“The least paranoid version of suggests that the device sat between the government’s internal network and the public internet, and that the only individuals affected were government employees in that office,” the blog read.
The CA’s full explanation of what happened can be found here.
How well do you know Internet security? Try our quiz and find out!