A Turkish certificate authority (CA) accidentally issued two intermediate, or chained, digital certificates, one of which was used by the holder to mimic legitimate websites.
This prompted browser makers Google, Microsoft and Mozilla all to announce on Thursday that they have revoked, or plan to revoke, trust in the offending certs, which were issued by a company named TURKTRUST.
Adam Langley, a Google software engineer, said in a Thursday blog post that the tech giant discovered the issue late Christmas Eve when Chrome "detected and blocked an unauthorized digital certificate for the *google.com domain."
Google engineers determined that around August 2011, TURKTRUST errantly "issued two intermediate certificates to organizations that should have received regular SSL certificates." On Christmas Day, Google revoked the bogus cert, which, according to Microsoft, was being used in active attacks, the type or extent of which were not described. The following day, Google blocked the second cert, which is not believed to have been used maliciously.
"Intermediate CA certificates carry the full authority of the CA, so anyone who has one can use it to create a certificate for any website they wish to impersonate," Langley explained.
On Thursday, Microsoft released a security advisory, announcing that it would update its Certificate Trust list and apply the change to all supported versions of Windows.
"TURKTRUST Inc. incorrectly created two subsidiary CAs (*.EGO.GOV.TR and e-islem.kktcmerkezbankasi.org)," the software giant explained in the advisory. "The *.EGO.GOV.TR subsidiary CA was then used to issue a fraudulent digital certificate to *.google.com. This fraudulent certificate could be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks against several Google web properties."
Unauthorized certs such as this one create a false sense of security and permit the cert holder to potentially spy on communications and steal credentials. It's unclear who was behind the attacks or who was being targeted.
Mozilla also plans to nullify trust in the two certs in its next release of Firefox, due Tuesday.
"This is not a Firefox-specific issue," Michael Coates, director of security assurance for Mozilla Corp., wrote in a blog post. "Nevertheless, we are concerned that at least one of the misissued intermediate certificates was used for man-in-the-middle (MITM) traffic management of domain names that the customer did not legitimately own or control. We are also concerned that the private keys for these certificates were not kept as secure as would be expected for intermediate certificates."
This incident is just the latest example of a foundational system that some say is fundamentally broken.