Google, Microsoft and Mozilla announced on Jan 3 that they are revoking trust in two digital certificates accidentally issued by Turkish certificate authority (CA) TURKTRUST. When you start talking about another CA fiasco, there are many people whose eyes glaze over when reading technical details because they know it's bad, but really have no idea why it is so dangerous for digital certificates that are considered trusted to end up being untrusted. The root problem with a bad digital certificate is that it is a certified lie that allows people to easily be compromised by bad actors, cybercriminals or by Big Brother in your browser.
Silently in the background of most browsers, new digital certificates from valid CAs are accepted. Many people feel fairly safe when they see the padlock in their browser window which allegedly indicates an SSL-enabled secure connection for private communications like banking or email. But an eavesdropping attacker who can obtain a fake digital certificate can successfully impersonate every encrypted website you visit without you knowing that you are not on the genuine site. By using a fraudulent certificate, an eavesdropper can quietly launch a man-in-the-middle (MITM) attack to watch or record all encrypted web traffic while the user is clueless that it's happening. In other words, there is nothing private or secure about your encrypted web browsing.
Adam Langley, Google Software Engineer, wrote that "Chrome detected and blocked an unauthorized digital certificate for the "*.google.com" domain" on Christmas Eve. "We investigated immediately and found the certificate was issued by an intermediate certificate authority (CA) linking back to TURKTRUST, a Turkish certificate authority. Intermediate CA certificates carry the full authority of the CA, so anyone who has one can use it to create a certificate for any website they wish to impersonate."
On Christmas, Google blocked that intermediate CA and alerted TURKTRUST and other browser vendors. TURKTRUST told Google that in August 2011, "they had mistakenly issued two intermediate CA certificates to organizations that should have instead received regular SSL certificates." On Dec 26, Google pushed "another Chrome metadata update to block the second mistaken CA certificate and informed the other browser vendors." Langley added, "Given the severity of the situation, we will update Chrome again in January to no longer indicate Extended Validation status for certificates issued by TURKTRUST."
Regarding Mozilla Firefox, Michael Coates wrote that Mozilla is suspending the inclusion of a TURKTRUST root certificate. "There are currently two TURKTRUST root certificates included in Mozilla's CA Certificate program. TURKTRUST had requested that a newer root certificate be included, and their request had been approved and was in Firefox 18 beta. However, due to the mis-issued intermediate certificates, we decided to suspend inclusion of their new root certificate for now."
Although there is a technical discussion on the Mozilla developers security policy group, Coates has the best non-technical description of just how dangerous the issue can be. He described the impact as:
An intermediate certificate that is used for MITM allows the holder of the certificate to decrypt and monitor communication within their network between the user and any website. Additionally, If the private key to one of the mis-issued intermediate certificates was compromised, then an attacker could use it to create SSL certificates containing domain names or IP addresses that the certificate holder does not legitimately own or control. An attacker armed with a fraudulent SSL certificate and an ability to control their victim's network could impersonate websites in a way that would be undetectable to most users. Such certificates could deceive users into trusting websites appearing to originate from the domain owners, but actually containing malicious content or software.
Microsoft also issued a Fraudulent Digital Certificates Could Allow Spoofing security advisory. "Microsoft is aware of active attacks using one fraudulent digital certificate issued by TURKTRUST Inc., which is a CA present in the Trusted Root Certification Authorities Store." All supported Microsoft Windows releases are affected by this issue. "This fraudulent certificate could be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks against several Google web properties." So "Microsoft is updating the Certificate Trust list (CTL) and is providing an update for all supported releases of Microsoft Windows that removes the trust of certificates that are causing this issue."
Meanwhile, Microsoft has allegedly received a "crushing blow." After investigating for 19 months, the FTC closed the Google antitrust review with nothing more than a slight slap on the wrist. The tech giant agreed to top scraping rival's content and to allow its competitors access to some of its mobile patents. David Drummond, Google's chief legal officer, wrote, "The conclusion is clear: Google's services are good for users and good for competition." Meanwhile, ReadWriteWeb wrote, "This is a crushing blow to Microsoft, which has spent millions of dollars on lobbyists and phony grassroots groups over the past several years hoping to land Google in hot water."
In other Microsoft news, the websites affected by watering hole attacks that exploit the critical zero-day hole in IE now also include energy manufacturer Capstone Turbine Corp and other political sites. It may come to light that more websites are also hosting this IE zero-day exploit that allows attackers to gain control of machines running fully patched versions of Internet Explorer 6, 7 and 8. Of Microsoft's two critical fixes coming on Patch Tuesday, one will close vulnerabilities in Windows XP to Windows 8, Windows Server 2003, 2008, 2008 R2 and 2012. You should plan on reboots. But for now users will have to stick with the Band-Aid quick fix for the zero-day exploiting IE. That or switch browsers.
Like this? Here's more posts:
- Critical Infrastructure Malware Infections: From ICS-CERT report to SCADA Strangelove
- Police State starts in tiny Arkansas town
- Killer robots, indestructible drones & drones that fly and spy indefinitely
- Naughty or nice? Verizon DVR will see and hear you to find out before delivering ads
- Terrorism Fear button and funding: Ridiculous DHS spending
- Microsoft issues quick fix for critical zero-day hole in IE
- Airborne intelligence: U.S. Army building NextGen surveillance planes
- TSA: All your travel are belong to us?
- Intelligence report predicts IT in 2030, a world of cyborgs with Asia as top power
- Future smart spies: Innovative leaps in 2012
Follow me on Twitter @PrivacyFanatic