Microsoft to revoke certificates with fewer than 1024 bits
Microsoft to revoke certificates with fewer than 1024 bits

The fraudulent issuing of certificates from a Turkish certificate authority (CA) has led to major web browsers revoking trust.

According to Dustin Childs, group manager of response communications at Microsoft Trustworthy Computing, an advisory was issued after it became aware of "active attacks using a fraudulent digital certificate issued by TurkTrust". This has led to Google, Microsoft and Mozilla revoking trust in the certificates causing this problem.

It was initially detected on Christmas Eve by Google software engineer Adam Langley, who said that its Chrome browser detected and blocked an unauthorised digital certificate for the ‘google.com' domain and after investigating, it found that the certificate was issued by a CA linking back to Turkish TurkTrust.

Langley said that it alerted TurkTrust who discovered in August 2011 it had mistakenly issued two intermediate certificates to organisations that should have instead received regular SSL certificates.

He said: “Our actions addressed the immediate problem for our users. Given the severity of the situation, we will update Chrome again in January to no longer indicate extended validation status for certificates issued by TurkTrust, though connections to TurkTrust-validated HTTPS servers may continue to be allowed.”

Microsoft's advisory said that TurkTrust incorrectly created two subsidiary CAs - ego.gov.tr and e-islem.kktcmerkezbankasi.org and the first was then used to issue a fraudulent digital certificate to google.com. This fraudulent certificate could be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks against several Google web properties.

Michael Coates, director of security assurance at Mozilla, said that while this was not a Firefox-specific issue, it was concerned that at least one of the mis-issued intermediate certificates was used for man-in-the-middle (MITM) traffic management of domain names.

“We are also concerned that the private keys for these certificates were not kept as secure as would be expected for intermediate certificates,” he said.

“An intermediate certificate that is used for MITM allows the holder of the certificate to decrypt and monitor communication within their network between the user and any website. Additionally, If the private key to one of the mis-issued intermediate certificates was compromised, then an attacker could use it to create SSL certificates containing domain names or IP addresses that the certificate holder does not legitimately own or control.

“An attacker armed with a fraudulent SSL certificate and an ability to control their victim's network could impersonate websites in a way that would be undetectable to most users. Such certificates could deceive users into trusting websites appearing to originate from the domain owners, but actually containing malicious content or software.”

A translated statement by TurkTrust acknowledged that two ‘incorrect statements' were issued by it in August 2011 that browsers detected in December. “The certificate was cancelled immediately after the notification [was made and] all systems [were] examined in detail [to determine] the exact source of the problem, respectively.”

It also said that as a result of the investigation, the "erroneous output occurs only once" so in the absence of any interference with its systems, any loss resulting from this instance have been identified.