Certificate Authority Issues Lead Hackers To Impersonate Google

(Before It's News)

Lee Rannals for redOrbit.com – Your Universe Online

Google has said that its Chrome Web browser users are at risk of phishing attacks due to Certificate Authority issues.

Google wrote in a blog post titled “Enhancing digital certificate security” that it first detected the problem using Chrome’s certificate pinning on December 24th.

Criminals used fake credentials to create a website that claimed to be part of the Google+ social media network. They were able to exploit ID credentials that browsers use to ensure a website is who it claims to be.

Turkish security firm TurkTrust revealed through an investigation that it accidentally issued the wrong type of security credential, which is a type of form of ID known as an intermediate certificate. Instead of issuing low level certificates, it gave out two “master keys” that are only given to owners of websites.

“These certificates could be used to impersonate any website to any browser without the end user being alerted that anything is wrong,” security analyst Chester Wisniewski from Sophos wrote in a blog post.

Wisniewski said the certificates are important because secure use of web shops and other services need interaction between the master keys and lower level security credentials.

“Given the severity of the situation, we will update Chrome again in January to no longer indicate Extended Validation status for certificates issued by TurkTrust, though connections to TurkTrust-validated HTTPS servers may continue to be allowed,” Google software engineer Adam Langley wrote in a blog post.

Microsoft said it would be updating the Certificate Trust list, and is also going to provide a Windows update to remove the trust of the fake certificates.

Mozilla director of security assurance Michael Coates said that the company is planning to release an update for Firefox next Tuesday to fix the issue.

Back in 2011, another fake certificate allowed hackers to steal passwords and data from Google sites for nearly two months before it was blocked.

“What I think it means is what I’ve said before: we can’t trust the current Certificate Authority based SSL/TLS system. It is broken and I do not believe it can be easily fixed,” Wisniewski wrote.

“It is really time we move on from this 20-year-old, poorly implemented system,” he added. “Whether it is the Public Key Pinning Extension for HTTP, Convergence, Trusted Assertions for Certificate Keys (TACK) or DNSSEC-TLS, we’ve got to pick something and start implementing it.”

redOrbit.com
offers Science, Space, Technology, Health news, videos, images and
reference information. For the latest science news, space news,
technology news, health news visit redOrbit.com frequently. Learn
something new every day.\”

• LCD TV Makers Penalized In China For Price-Fixing
• For Bering Sea Predators, Prey Density More Important Than Total Numbers
• Coral Fossils Indicate 20th-Century El Nino Was Intense But Not Unusual
• Foursquare adds “Like” feature to check-ins for users outside of friend zone
• 6 Reasons This Could Be The Most Boring CES Ever
• AWS Launches First Android App To Go With Major Update To Console For Easier Mobile Management
• Actress Megan Fox Joins Twitter and Tweets About ‘Star Wars’
• Steering column issues force GM to recall nearly 70k trucks, SUVs, and vans
• Westinghouse set to launch ‘Roku ready’ CES lineup of HD, 4K models
• Amazon Improves Its Web Services Console, Launches Tablet Support And Android App