The key point that caused me to write this post has not changed – this issue can have serious negative implications for users in countries like Syria and Iran.
UPDATE 2: It had originally been reported that criminals had created a fake Google website by abusing security certificates. The BBC updated their news report at 22:00 on 4 January to say “criminals could have created a website that purported to be part of the Google+ social media network”. Note: As Google Inc is now branding a bunch of its services as the Google+ social media network, this refers to *.google.xxx, for example https://mail.google.com.
TurkTrust has said there was only one of the 2 certificates in use and they see no implication of any malicious usage. The information does seem to confirm that the client was using the *.google.com certificate for man-in-the-middle intercepts. I suggest reading the full discussion and content of the embedded links on the the Mozilla security list for more technical details, and the Mozilla Security Blog post for a non-technical overview and explanation.
UPDATE 1: TurkTrust has issued a Press Release concerning the security advisory by Microsoft, Google and other Internet browser producers published on the 3rd of January 2012, GMT 18:00 hours.
- Google Online Security Blog
- Microsoft Security Advisory (2798897)
- The Opera Rootstore
- Mozilla Security Blog
- Entrust Insights
- Mozilla Discussion Thread
- Technical Details
The company maintains that the situation has no impact on customers at all and says it will continue to provide updates. I have commented in my original post about the coincidental similarities that seemed to exist between this issue and the DigiNotar scandal, so I was not at all comfortable to learn that the flawed system was given a clean bill of health in November 2011 after an audit by KPMG in the Netherlands, DigiNotar’s turf. I could write at length about the circumstances which led to this recent breach of trust and my remaining questions, but I don’t want to bore you senseless about it. I am much more concerned that our efforts are focused on alerting activists in countries with repressive regimes to the potential risks such events pose to their online and offline security.
Web browser makers have rushed to fix a security lapse that
cyber thieves abused [was used – see Update 2] to impersonate Google+.
Chrome has been updated, Firefox will be updated 8 January 2013, and Internet Explorer has issued an update which will be applied automatically for users of Windows 8/RT/Server 2012. Anyone using older versions of Windows will need to use Windows Update. Since Opera requires a successful revocation check in order to show a site as secure, Opera explained that users were immediately protected, and there was no urgent need to update. As usual, Apple has not commented on when or if they will take action to protect Safari and iOS users.
By using the fake credentials, criminals created a website that pretended to be part of the Google+ social media network. [See Update 2] The loophole exploited ID credentials that browsers use to ensure a website is who it claims to be.
So someone was attempting to perform a man-in-the-middle attack against secure communications intended for Google,
but there is no information about who that is or where they are based. [See Update 1]
The fake ID credentials have been traced back to August 2011, when Turkish Certificate Authority (CA) TurkTrust mistakenly issued two “master keys” – higher level certificates used to certify website validity. The issue was not discovered by Google until late on 24 December 2012. Google issued two updates on 25 and 26 December and alerted other browser vendors.
You may recall that August 2011 saw a report from Google about man in the middle attacks linked to the DigiNotar CA which they said mainly affected users in Iran.
So the dates coincide, as does the methodology and the target site, except this time TurkTrust is much closer to Iran and Syria (on many levels, not only geographically) whereas DigiNotar was in the Netherlands.
Google’s post notes that Google “may also decide to take additional action after further discussion and careful consideration,” which hints that the Chrome team are considering the exclusion of TurkTrust’s root certificates. Mozilla will temporarily revoke it from 8 January when the patch is released. However, if this CA is removed, it could force many sites in countries like Syria and Iran to use national, not-trusted and completely compromised CA’s like ParsSign.