Fake Turkish site certs create threat of bogus Google sites

January 5th, 2013 by admin Leave a reply »

Google and Microsoft revealed today that a certificate authority based in Turkey “mistakenly” issued security certificates last month, and that a recipient of one of the e-documents in turn created a bogus certificate that could let it impersonate various Google sites.

According to a blog post by Google engineer Adam Langley, Chrome detected and blocked an unauthorized security certificate for the domain “*.google.com” on December 24. After blocking the certificate, Langley said, Google investigated and determined the certificate came from an intermediate certificate authority that linked back to the Turkish certificate authority TurkTrust.

Fraudulent certificates — or e-documents used to verify Web site authenticity — are no joke, since they can be used to perform phishing attacks, man-in-the-middle attacks, or to spoof content.

After Google warned TurkTrust and other browser vendors, TurkTrust reported that it had mistakenly issued two intermediate certificates in August 2011 to organizations that should have received standard SSL certificates.

Microsoft wrote in its concurrent security advisory blog post that it has also blocked certificates from TurkTrust. “TurkTrust incorrectly created two subsidiary Certificate Authorities: (*.EGO.GOV.TR and e-islam.kktcmerkezbankasi.org). The *.EGO.GOV.TR subsidiary CA was then used to issue a fraudulent digital certificate to *.google.com,” the company wrote.

People using Windows Vista or newer won’t have to take any action, Microsoft said, as long as they have installed the Certificate Trust List from last June. Windows 8, Windows RT, Windows Server 2012, and devices running Windows Phone 8 will be automatically protected.

Langley added that Google’s actions last month fixed the immediate security problem for Chrome users, but that the company will update the browser again in January to remove Extended Validation status for TurkTrust-issued certificates.

He finished by warning that it’s possible Google “may also decide to take additional action after further discussion and careful consideration.”

Get your personal as well as office laptops encrypted by Alertsec

Unencrypted laptops present a major risk of data loss. 80% of information theft is due to lost or stolen laptops and other equipment. About 50% of network intrusions are performed with credentials gathered from lost or stolen devices. The penalties for a data breach are severe not only in terms of the monetary fines imposed on the organization, but also the potential loss of trust from customers and suppliers. Encryption software greatly enhances the security of your organization’s data as the information is not compromised if a laptop is lost or stolen.

Alertsec Xpress is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

Enhanced by Zemanta

Leave a Reply