According to Mozilla, Microsoft and Google, TURKTRUST issued a pair of incorrect subsidiary certificate authorities. The subsidiary CAs then issued illegitimate SSL certificates for *.google.com
Google updated its SSL certificate revocation list on Dec. 26, blocking the two fraudulent certificates. Microsoft issued an advisory on Jan. 3, disclosing that it was aware of active attacks using a fraudulent digital certificate issued by TURKTRUST. Microsoft also automatically blocked the two fraudulent certificates for Windows users with an update.
Mozilla is also revoking trust for the TURKTRUST certificates, though not quite as fast.
“I think more people know that the current CA based system is based on operational integrity of the providers with little oversight,” Qualys CTO Wolfgang Kandek told InternetNews. ” Each time such a case happens and is publicized it makes it clear that we need better mechanisms that what is in place today.”
Kandek noted that full detailed information about how Google detected the issue is not publicly available, but in his view, it is reasonable to assume that Google Chrome’s certificate pinning played a role in the detection. He noted that Google is many cases in the rare position to control both sides of the communication between browser and website, i.e. when a end-user accesses a Google website (search, mail, etc) with the Chrome browser.
“The Chrome browser ‘knows’ who emitted the certificate for a Google website, it is specified in the source-code (http://src.chromium.org/viewvc/chrome/trunk/src/net/base/transport_security_state_static.h),” Kandek explained. “Whenever a Google website identifies itself with a certificate not emitted by the hardcoded entities it pop up an alert and inform the user about the mismatch. This mechanism has already worked in the DigiNotar/Iran case in 2011.”
Kandek added that the source code approach is not scalable that way but it shows that the browser vendors are in the best position to effet fast change. He also suggests that browser vendors should immediately support the user better in selecting what certificate authorities they actually care about and provide a alerting mechanism.
“It has to be easier to only enable certificates that one actually uses and disables all others,” Kandek said. “Interestingly enough we do not need everybody to participate in the tightening of the certificate standards to detect fraud, if a subset of the browser users do it it already serves as a working alert system for the community at large.”
Sean Michael Kerner is a senior editor at InternetNews.com, the news service of the IT Business Edge Network, the network for technology professionals Follow him on Twitter @TechJournalist.
