Google detects fake website ID certificate threat
- 4 January 2013
- From the section Technology
Web browser makers have rushed to fix a security lapse that could have allowed cyber thieves to impersonate Google+
The loophole involved an exploit of ID credentials that browsers use to ensure a website is who it claims to be.
By using fake credentials, criminals could have created a website that purported to be part of the Google+ social media network.
The fake ID credentials have been traced back to Turkish security firm TurkTrust which mistakenly issued them.
TurkTrust said there was no evidence the data had been used for dishonest purposes.
An investigation by TurkTrust revealed that in August 2011 it twice accidentally issued the wrong type of security credential, a form of identification known as an intermediate certificate.
Instead of issuing low level certificates it mistakenly gave out what amounted to "master keys" which could have allowed a bogus site to pretend it was the legitimate version without triggering a warning.
"An intermediate certificate is essentially a master key that can create certificates for any domain name," explained security analyst Chester Wisniewski from Sophos in a blogpost about the security lapse.
"These certificates could be used to impersonate any website to any browser without the end user being alerted that anything is wrong."
The certificates are important, he said, because secure use of web shops and other services revolve around interaction between the "master keys" and the lower level security credentials.
The lapse was spotted when automatic checks built into Google's Chrome browser noticed someone was using the program with an unauthorised certificate for the "*.google.com" domain.
Had this not been detected the person could have gone onto to impersonate Google+, Gmail and other services run by the US firm.
The danger would have been that they could then have staged a man-in-the middle attack. This would have involved them relaying targeted users' communications to the real Google services and passing on the responses. By doing this they could have eavesdropped on potentially sensitive messages.
Google said it alerted other browser-makers to the threat after its discovery.
The identity of the person using the unauthorised certificate has not been reported, and their intentions are unknown.
This is not the first time that websites and browser makers have had a problem with security certificates. Fake certificates have been issued before now by several other firms and exposed confidential data including login names and passwords.
"It is really time we move on from this 20-year-old, poorly implemented system," wrote Mr Wisniewski. "It doesn't need to be perfect to beat what we have."