Pierluigi Paganini January 04, 2013

It’s the news of the day, a fraudulent digital certificate that could be used for active phishing attacks against Google’s web properties. Using the certificate it is possible to spoof content in a classic phishing schema or perform a man-in-the-middle attack according Google Chrome Security Team and Microsoft experts.

Microsoft has been immediately started the procedure to update its Certificate Trust list (CTL) and all versions of its OSs to revoke the certificate. Microsoft has also decided to revoke other two certificates for the same reason, it seems that some attacks using the first certificate have been already detected, fraudulent digital certificate that was mistakenly issued by a domain registrar run by a Turkish domain registrar.

Microsoft has issued a security advisory “Microsoft Security Advisory (2798897) – Fraudulent Digital Certificates Could Allow Spoofing” that states:

“Microsoft is aware of active attacks using one fraudulent digital certificate issued by TURKTRUST Inc., which is a CA present in the Trusted Root Certification Authorities Store. This fraudulent certificate could be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks. This issue affects all supported releases of Microsoft Windows.

TURKTRUST Inc. incorrectly created two subsidiary CAs (*.EGO.GOV.TR and e-islem.kktcmerkezbankasi.org). The *.EGO.GOV.TR subsidiary CA was then used to issue a fraudulent digital certificate to *.google.com. This fraudulent certificate could be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks against several Google web properties.

To help protect customers from the fraudulent use of this digital certificate, Microsoft is updating the Certificate Trust list (CTL) and is providing an update for all supported releases of Microsoft Windows that removes the trust of certificates that are causing this issue.”

It’s still unknown which is the real target of attack neither their geographic distribution, Microsoft advisory refers the domain kktcmerkezbankasi.org a web site that presents itself as the Central Bank of the Turkish Republic of Northern Cyprus (TRNC).

Google On-Line Security Blog published a blog post that reported that on Dec. 24, 2012, its Chrome Web browser detected and blocked an unauthorized digital certificate for the “*.google.com” domain. This list of properties fixed are:

*.google.com
*.android.com
*.appengine.google.com
*.cloud.google.com
*.google-analytics.com
*.google.ca
*.google.cl
*.google.co.in
*.google.co.jp
*.google.co.uk
*.google.com.ar
*.google.com.au
*.google.com.br
*.google.com.co
*.google.com.mx
*.google.com.tr
*.google.com.vn
*.google.de
*.google.es
*.google.fr
*.google.hu
*.google.it
*.google.nl
*.google.pl
*.google.pt
*.googleapis.cn
*.googlecommerce.com
*.gstatic.com
*.urchin.com
*.url.google.com
*.yo
utube-nocookie.com
*.youtube.com
*.ytimg.com
android.com
g.co
goo.gl
google-analytics.com
google.com
googlecommerce.com
urchin.com
youtu.be
youtube.com

The post states:

“We investigated immediately and found the certificate was issued by an intermediate certificate authority (CA) linking back to TURKTRUST, a Turkish certificate authority. Intermediate CA certificates carry the full authority of the CA, so anyone who has one can use it to create a certificate for any website they wish to impersonate.
In response, we updated Chrome’s certificate revocation metadata on December 25 to block that intermediate CA, and then alerted TURKTRUST and other browser vendors. TURKTRUST told us that based on our information, they discovered that in August 2011 they had mistakenly issued two intermediate CA certificates to organizations that should have instead received regular SSL certificates.”

Also the authors of Mozilla browser have published a blog post informing on revoking of fraudulent certificates, interesting the description of the possible impact provided:

“An intermediate certificate that is used for MITM allows the holder of the certificate to decrypt and monitor communication within their network between the user and any website. Additionally, If the private key to one of the mis-issued intermediate certificates was compromised, then an attacker could use it to create SSL certificates containing domain names or IP addresses that the certificate holder does not legitimately own or control. An attacker armed with a fraudulent SSL certificate and an ability to control their victim’s network could impersonate websites in a way that would be undetectable to most users. Such certificates could deceive users into trusting websites appearing to originate from the domain owners, but actually containing malicious content or software.”

In a blog post published a In 2011 I explained which is the usefulness to steal a CA certificate:

• Malware production – Installation for certain types of software could needs that its code is digitally signed with a trusted certificate. By stealing the certificate of a trusted vendor reduces the possibility that the malicious software being detected as quickly. That is exactly what happend for Stuxnet virus.
• Economic Frauds – digital signature give a warranty on who signed a document and you can decide if you trust the person or company who signed the file and if you trust the organization who issued the certificate. If a digital certificate is stolen we will suffer of an identity theft, let’s imagine which could be the implication. Some bot, like happened for the banking with Zeus malware, could be deployed to steal steal site certificates so that they can fool web browsers into thinking that a phishing site is a legitimate bank web site.
• Cyber warfare – Criminals or governments could use the stolen certificates to conduct “man-in-the-middle” attacks, tricking users into thinking they were at a legitimate site when in fact their communications were being secretly tampered and intercepted. That is for example what occurred in the DigiNota case … companies like Facebook, Google and also agencies like CIA, MI6 were targeted in Dutch government certificate hack.

The security repercussions are very critical, any attacker with the possibility to sign using a certificate of a CA can sign certificates for any domain. In the past we have already observed similar incidents, such as the case of Diginotar CA, learning how much dangerous is the impairment of a CA.

Who will be next?

Pierluigi Paganini

2013/04/01 UPDATE

PUBLIC ANNOUNCEMENT  – Turktrust

11:40 GMT+2, January 04, 2012

 TURKTRUST has been delivering SSL certificate services since 2005 and is the first and soul local establishment that has certified its SSL certificate services in compliance with the “ETSI TS 102 042 CA Management System Standard” on December 20, 2011.

TURKTRUST is also the only Turkish establishment that has entered the trusted root certificate list of many internet browsers and mobile device manufacturers such as Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, Opera, Apple Safari, and RIM.

Before “ETSI TS 102 042 CA Management System Standard” certification took place, our systems were subject to upgrades and improvements between May-November 2011. In the course of this process, two faulty SSL certificates in the same production package were issued due to a defective data migration and software upgrade process. Upon the notification of the Internet browsers on December 26, 2012, one of the faulty certificates, that had been valid by then, was immediately revoked. All our systems were explored in depth and the root cause of the problem was identified. The data revealed that the instance was unique, and restricted only to this case. There is also no evidence of any attack or hacking attempt on our systems, as well as no implication of any malicious usage.

Since December 2011, the strong and trustworthy infrastructure of TURKTRUST, which has been certified in compliance with the international standards, certainly ensures preventing any kind of similar events. TURKTRUST sustains with absolute determination to serve as a prominent worldwide CA.

Here and thereafter, invaluable support and kindness of our customers shall remain to be our most valuable asset.

Kind Regards,

TURKTRUST Inc.