Gmail Users Targeted By False SSL Certificate

It has emerged that for the past five weeks, Google users have been at risk from a falsely issued SSL certificate.

The security risk was reported on Sunday 28 August by an Iranian user named alibo on the Gmail forums. He posted a thread about receiving a certificate warning in his Chrome web browser about a revoked SSL certificate for SSL-based Google services.

“Today, when I trid (sic) to login to my Gmail account I saw a certificate warning in Chrome,” alibo posted. “I took a screenshot and I saved certificate to a file.”

Google Targeted

The certificate was valid for *.google.com and all its usb domains, including mail.google.com. The certificate was reportedly issued by Dutch SSL certificate authority (CA) DigiNotar.

More worryingly, however, is the news that the certificate was actually issued (falsely by DigiNotar) on 10 July, which means that for nearly two months now hackers will have been able to set up fake versions of Google websites that appeared genuine to Google users, as well as their web browsers.

This would have allowed the hackers to intercept usernames and passwords for people’s Google accounts.

Hack Detected

DigiNotar revoked the certificate on Monday 29 August at 16:59:03 GMT, and it seems that it was the victim of a hack, after DigiNotar’s parent, Vasco Data Security, made a statement on the matter.

“On July 19th 2011, DigiNotar detected an intrusion into its Certificate Authority (CA) infrastructure, which resulted in the fraudulent issuance of public key certificate requests for a number of domains, including Google.com,” Vasco said.

“Once it detected the intrusion, DigiNotar has acted in accordance with all relevant rules and procedures,” it added. “At that time, an external security audit concluded that all fraudulently issued certificates were revoked. Recently, it was discovered that at least one fraudulent certificate had not been revoked at the time.”

“After being notified by Dutch government organisation Govcert, DigiNotar took immediate action and revoked the fraudulent certificate,” it added.

“The attack was targeted solely at DigiNotar’s Certificate Authority infrastructure for issuing SSL and EVSSL certificates. No other certificate types were issued or compromised,” it said.

Vasco then said it would take every possible precaution to secure its SSL and EVSSL certificate offering, including temporarily suspending the sale of its SSL and EVSSL certificate offerings. The company will only restart its SSL and EVSSL certificate activities after thorough additional security audits by third party organisations.

Confidence Undermined

Unfortunately for DigiNotar and Vasco however, despite revoking all the fraudulently issued certificates on 19 July, it missed one. Also, many web browsers do not automatically check for revoked certificates by default.

And the issue has also further undermined confidence in the Secure Sockets Layer (SSL), which is a security protocol designed to authenticate sensitive Internet traffic, including online banking.

In June for example StartSSL, a certification authority offering free SSL certificates was compromised by unknown attackers. That company suspended issuing security certificates for websites as a “defensive measure”.

And earlier this year systems at Comodo, another certificate authority, were found to have been hacked and forced to issue forged certificates for Google, Microsoft, Skype and Yahoo! services. The firm said at the time that evidence indicated its attackers were based in Iran.

Revoked Trust

Essentially SSL certificates are supposed to act as an independent third party to verify that communication between a website and a browser are secure. But the hackers got around this by targeting the issuing certificate authority (i.e. DigiNotar) itself.

Meanwhile Mozilla has announced that it is releasing new versions of Firefox, Firefox Mobile and Thunderbird to revoke the trust of DigiNotar’s certificate for signing certificates.

Google has likewise followed suit, by marking DigiNotar untrusted in the next release of the Chrome OS (Chromium).

Microsoft is also reported to have said it would use software patches to revoke the DigiNotar’s authority to issue SSL certificates in future.