An attacker armed with a fraudulent SSL certificate and an ability to control their victim’s network could impersonate websites in a way that would be undetectable to most users. Such certificates could deceive users into trusting websites appearing to originate from the domain owners, but they actually contain malicious content or software.
“An intermediate certificate that is used for [man in the middle] allows the holder of the certificate to decrypt and monitor communication within their network between the user and any website,” explained Michael Coates, Mozilla's director of security assurance, adding that users will get a Firefox update Jan. 8. “Additionally, if the private key to one of the mis-issued intermediate certificates was compromised, then an attacker could use it to create SSL certificates containing domain names or IP addresses that the certificate holder does not legitimately own or control.”
In response, Microsoft, Google and Mozilla have all revoked trust in the two digital certificates, one of which was initially discovered on Christmas Eve by Google. The search giant updated Chrome’s certificate revocation metadata on Christmas to block that intermediate CA, and then alerted the TURKTRUST and the other browser vendors. On December 26, it pushed another Chrome metadata update to block the second mistaken CA certificate.
“TURKTRUST told us that based on our information, they discovered that, in August 2011, they had mistakenly issued two intermediate CA certificates to organizations that should have instead received regular SSL certificates,” said Adam Langley, software engineer at Google, in a blog post. “Given the severity of the situation, we will update Chrome again in January to no longer indicate Extended Validation status for certificates issued by TURKTRUST, though connections to TURKTRUST-validated HTTPS servers may continue to be allowed.”
For its part, Microsoft has issued a new security advisory to notify customers of the threat, identifying users on Windows XP and Server 2003 machines (and un-updated Vista desktops) to be at risk. It also updated its Certificate Trust List (CTL) to remove the trust of the certificates causing the issue.
Dustin Childs, group manager of response communications for trustworthy computing, explained in a Microsoft blog that after TURKTRUST Inc. incorrectly created two subsidiary CAs (*.EGO.GOV.TR and e-islem.kktcmerkezbankasi.org), the *.EGO.GOV.TR was used to issue a fraudulent digital certificate to *.google.com, he noted – causing the active attack.
“There is no action for customers using versions of Windows Vista and newer who have installed the Certificate Trust List feature, which we released in June,” Childs said. “This feature helps protect customers from any potential issues caused by these certificates. For Windows XP and Windows Server 2003 customers, or customers who chose not to install the Certificate Trust List feature, also known as Microsoft Knowledge Base Article 2677070, we recommend that this update be applied immediately using update management software, by checking for updates using the Microsoft Update service, or by downloading and applying the update manually.”