Friday, January 4, 2013

Searching the ICSI Notary for Rogue Turktrust Intermediate Certificates

Turktrust, a Certificate Authority (CA) that is trusted by all major browsers and systems accidentally issued intermediate CA certificates instead of end-host certificates to two of its clients. Both of these intermediates were valid and signed by the Turktrust root, and hence they could be used to sign certificates for any site on the Internet. Having access to an intermediate CA certificate also makes it possible to mount difficult to detect man-in-the-middle attacks on SSL connections.

According to Turktrust, both of the certificates were created on the 8th of August, 2011.

At least one of the certificates was used to create a rogue *.google.com certificate that was used for a man-in-the-middle attack. Google became aware of the certificate because Chrome detected it, blocked the access and sent a report back to Google.

We examined the data of the ICSI Certificate Notary: since the start of our data collection effort in February no user at any of the sites we monitor did encounter either of the two intermediate certificates. That's good news and suggests that the intermediate certificates were indeed not used in a wide-scale attack, but only on a local gateway interface like stated by Turktrust.

Updates to distrust the rogue intermediate CA certificates have been pushed by all major Browser and Operating System vendors.

No comments:

Post a Comment