Google, Microsoft and Mozilla have all been working to block a rogue digital certificate that allowed fraudsters to impersonate the domain, with Microsoft aware of "active attacks" taking place.


Engineers for the Google Chrome browser became aware of the problem on 24 December and were able to trace the fake credentials back through an intermediate certificate authority (CA) to Turkish company TurkTrust.

TurkTrust have now confirmed the problem occurred in August 2011 during a software migration operation.

An investigation by the company found it had twice mistakenly issued the wrong type of security credential to websites, giving them a form of identification known as an intermediate certificate.

Instead of issuing low-level certificates, TurkTrust had accidentally given the two sites "master keys," which are guarantees of a site's identity to visitors.

One of the keys was given to Turkish public transit agency EGO, based in the capital city of Ankara. It is unknown what, if anything, EGO did with the certificate, but Microsoft claims the body had created a fraudulent digital certificate for

"The logical theory is that the transportation agency was using it to spy on its own employees," Chris Soghoian, a former Federal Trade Commission technology expert told Reuters.

'The current Certificate Authority system cannot be trusted'

Writing on the Sophos Naked Security blog, Chester Wisniewski said that these certificates "could be used to impersonate any website to any browser without the end user being alerted that anything is wrong."

Wisniewski went on: "Someone was attempting to perform a man-in-the-middle attack against this user's secure communications intended for Google.

"We don't know where this occurred, but it doesn't technically matter very much. This means a Certificate Authority either issued certificates to someone who shouldn't have them or was compromised.

"What I think it means is what I've said before: we can't trust the current Certificate Authority based SSL/TLS system. It is broken and I do not believe it can be easily fixed."

On Christmas Day, Google updated Chrome to block the intermediate CA, and then alerted TurkTrust and other browser vendors, including Microsoft and Mozilla.

Using the fake credentials, the criminals created a website that claimed to be part of the Google+ social network, but the con was spotted when automatic checks performed by Google's Chrome browser noticed the offending certificates.

Microsoft, Google and Mozilla soon got to work, patching their browsers to no longer allow access to sites with the fake certificates. Microsoft warned in a security advisory on 3 January: "This fraudulent certificate could be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks against several Google web properties."

Following an investigation, the Turkish certificate authority found that it had, in August 2011, mistakenly issued two intermediate CA certificates to organisations that should have instead received regular SSl certificates; after becoming aware of this, Google issued another update to Chrome and again told other vendors of the situation.

Google explained in a post on its online security blog: "Our actions addressed the immediate problem for our users. Given the severity of the situation, we will update Chrome again in January to no longer indicate Extended Validation status for certificates issued by TurkTrust, though connections to TurkTrust-validated HTTPS servers may continue to be allowed.

"Since our priority is the security and privacy of our users, we may also decide to take additional action after further discussion and careful consideration."