An unauthorized digital certificate for the .google.com domain was blocked by Chrome on Christmas Eve, according to a security warning by Adam Langley, Google software engineer on Thursday.
An investigation led Google to find that a Turkish CA TURKTRUST had mistakenly issued intermediate certificates to two organizations in August 2011 that should have been given SSL certificates. Intermediate certificates enable organizations to create a certificate for any website they wish to impersonate, Langley said, which can be used for phishing, man-in-the-middle attacks or to spoof content.
Google said that “given the severity of the situation” it will update Chrome this month to no longer indicate EV status for certificates issued by TURKTRUST.
According to CNET, Microsoft has also blocked certificates from TURKTRUST , and Mozilla has revoked trust for the two TURKTRUST certificates, and has suspended inclusion of the TURKTRUST root certificate.
TURKTRUST said that its mistake is connected to an incorrect configuration after a software change, the H Security said in a report. TURKTRUST cancelled the digital certificate after it heard from Google, and the other certificate was cancelled by the customer before it was used.
Still, with all of the major browsers revoking trust of the digital certificates, the incident has the potential to have a devastating effect on TURKTRUST. Last year, after a security breach that unleashed fake SSL certificates into the wild, Dutch CA DigiNotar filed for bankruptcy.
Talk back: What do you think of the latest digital certificate security incident? Do you think these kinds of incidents make customers question the security of SSL certificates in general? Let us know in a comment.