New year and new CA compromised
by Manuel Humberto Santander Pelaez (Version: 1)
In december 24 2012, google detected a non-authorized certificate for the google.com domain. After investigations, it was confirmed that Turktrust Inc incorrectly created two subsidiary certificate authorities: *.EGO.GOV.TR and e-islam.kktcmerkezbankasi.org. The first one was used to create the fraudulent google.com domain certificate detected by Google Chrome. This is a big problem since intermediate CA certificates carry the full authority of the CA and therefore they can be used to create a certificate for any website the attacker wish to impersonate.
As a result of this problem, Mozilla is revoking starting January 8 the trust to both certificates, Microsoft issued the security advisory 2798897, publishing updates to revoke the fake google.com certificate and the two intermediate certification authorities and Google revoked same certs in Google Chrome in december 25 and 26 2012 updates.
SSL and X.509 has been proven weak as a standalone security control and definitely should be used with other strong authentication controls like One Time Password tokens. You can use other vendors like Vasco, Safenet and, of course, RSA. Despite all attacks and intrusions from previous years, they are still a very good reliable solution.
Manuel Humberto Santander Peláez
SANS Internet Storm Center - Handler
Twitter:@manuelsantander
Web:http://manuel.santander.name
e-mail: msantand at isc dot sans dot org
Comments
See my blogpost http://www.cupfighter.net/index.php/2013/01/turktrust-fraudulent-digital-certificates-could-allow-spoofing-diginotar-the-sequel/
You should take a look at the long list of SANs in the *.google.com certificate!
cheers,
Matthijs Wijers
Schuberg Philis
Matthijs Wijers
Jan 3rd 2013
1 decade ago
http://convergence.io/
'nuff said ?
Dom De Vitto
Dom
Jan 3rd 2013
1 decade ago