CA Leak Highlights Weakness in Net Security, Again
For the third time in two years, an incident at one of the hundreds of certificate authorities that underpin the security of the Internet allowed a group—or in this case, a machine—the ability to pose as a legitimate online service provider.
In a statement posted Jan. 3, Google announced that its Chrome browser "detected and blocked an unauthorized digital certificate" for its domain Dec. 24. The online services giant provided few details, but tracked the certificate back to a legitimate provider of digital encryption and certificate products, TurkTrust. Google updated its Chrome browser to revoke the two powerful certificates that had been mistakenly issued and the certificate created for its own domain.
"Intermediate CA certificates carry the full authority of the CA, so anyone who has one can use it to create a certificate for any Website they wish to impersonate," Google stated as an explanation of its actions.
Microsoft and Mozilla, the makers of the two other most popular desktop browsers, also took action in December. Microsoft revoked the three certificates, while Mozilla not only removed those certificates from its trust chain, but TurkTrust's certificates as well.
"There are currently two TURKTRUST root certificates included in Mozilla's CA Certificate program," the company said in its statement. "TURKTRUST had requested that a newer root certificate be included, and their request had been approved and was in Firefox 18 beta. However, due to the mis-issued intermediate certificates, we decided to suspend inclusion of their new root certificate for now."
In the past two years, two other breaches at certificate authorities have underscored the weakness in the system that underpins much of the Internet's chain of trust. In March 2011, an Iranian hacker breached systems at security firm Comodo, issuing certificates from Google, Yahoo, Skype, Mozilla and Microsoft. Using those certificates, cyber-criminals could spoof legitimate Websites, while authoritarian governments could eavesdrop on communications.
The same hacker claimed responsibility for breaching Dutch certificate authority DigitNotar. When the major browsers revoked their trust in certificates signed by the company, it went out of business.
TurkTrust has gone on the offensive, hoping to prevent a similar revocation of its own certificates. The company has posted statements of its analysis of what happened on its Website and in other forums.
Two certificates issued during a software migration had inadvertently been created as intermediate certificates, which allow additional digital signatures to be created, the company stated. While the problem that led to the issuance of the two certificates was fixed Aug. 10, 2011, the two digital signatures persisted.
The company tracked back the certificates and found that one had been revoked before the customer used it, and the other certificate had resided on a mail server until Dec. 6, 2012, when it was moved to a firewall. Certain firewalls allow man-in-the-middle functionality, decrypting communications going out from an organization to look for potential malicious traffic. The other certificate had been used in this sort of use case, according to TurkTrust.
"The available data strongly suggests that the *.google.com [certificate] was not issued for dishonest purposes or has not been used for such a purpose," the company said. "There is certainly not a bit of data to show an evidence of a security breach on TURKTRUST systems."
The scenario is quite plausible, stated Robert Graham, CEO of security consultancy Errata Security.
"This is especially true when looking at it from the other point of view," he wrote in an analysis of the incident. "Google Chrome hoovers up a ton of information from hundreds of millions of machines. When somebody misconfigures a firewall, Google is going to notice. Google is going to regularly report harmless Internet oddities that otherwise would've gone unnoticed before."