Google found that Turkish CA TURKTRUST had mistakenly issued intermediate certificates to two organizations in August 2011 that should have been given SSL certificates
An unauthorized digital certificate for the .google.com domain was blocked by Chrome on Christmas Eve, according to a security warning by Adam Langley, Google software engineer on Thursday.
An investigation led Google to find that a Turkish CA TURKTRUST had mistakenly issued intermediate certificates to two organizations in August 2011 that should have been given SSL certificates. Intermediate certificates enable organizations to create a certificate for any website they wish to impersonate, Langley said, which can be used for phishing, man-in-the-middle attacks or to spoof content.
Google said that “given the severity of the situation” it will update Chrome this month to no longer indicate EV status for certificates issued by TURKTRUST.
According to CNET, Microsoft has also blocked certificates from TURKTRUST , and Mozilla has revoked trust for the two TURKTRUST certificates, and has suspended inclusion of the TURKTRUST root certificate.
Nearly a year ago Mozilla requested that CAs in its root program fess up to issuing digital certificates used for SSL man-in-the-middle interception.
TURKTRUST said that its mistake is connected to an incorrect configuration after a software change, the H Security said in a report. TURKTRUST cancelled the digital certificate after it heard from Google, and the other certificate was cancelled by the customer before it was used.
Still, with all of the major browsers revoking trust of the digital certificates, the incident has the potential to have a devastating effect on TURKTRUST. Last year, after a security breach that unleashed fake SSL certificates into the wild, Dutch CA DigiNotar filed for bankruptcy.
Talk back: What do you think of the latest digital certificate security incident? Do you think these kinds of incidents make customers question the security of SSL certificates in general? Let us know in a comment.
About Nicole Henderson
Nicole Henderson is the Editor in Chief of the Web Host Industry Review where she covers daily news and features online, as well as in print. She has a bachelor of journalism from Ryerson University in Toronto. You can find her on Twitter @NicoleHenderson.
