Google detects fake website ID certificate threat

Screengrab of Google Plus social network The lapse could have let cyber thieves trick people into thinking they were on Google+

Related Stories

Web browser makers have rushed to fix a security lapse that could have allowed cyber thieves to impersonate Google+

The loophole involved an exploit of ID credentials that browsers use to ensure a website is who it claims to be.

By using fake credentials, criminals could have created a website that purported to be part of the Google+ social media network.

The fake ID credentials have been traced back to Turkish security firm TurkTrust which mistakenly issued them.

TurkTrust said there was no evidence the data had been used for dishonest purposes.

Secure code

An investigation by TurkTrust revealed that in August 2011 it twice accidentally issued the wrong type of security credential, a form of identification known as an intermediate certificate.

Instead of issuing low level certificates it mistakenly gave out what amounted to "master keys" which could have allowed a bogus site to pretend it was the legitimate version without triggering a warning.

"An intermediate certificate is essentially a master key that can create certificates for any domain name," explained security analyst Chester Wisniewski from Sophos in a blogpost about the security lapse.

"These certificates could be used to impersonate any website to any browser without the end user being alerted that anything is wrong."

The certificates are important, he said, because secure use of web shops and other services revolve around interaction between the "master keys" and the lower level security credentials.

The lapse was spotted when automatic checks built into Google's Chrome browser noticed someone was using the program with an unauthorised certificate for the "*.google.com" domain.

Had this not been detected the person could have gone onto to impersonate Google+, Gmail and other services run by the US firm.

The danger would have been that they could then have staged a man-in-the middle attack. This would have involved them relaying targeted users' communications to the real Google services and passing on the responses. By doing this they could have eavesdropped on potentially sensitive messages.

Google said it alerted other browser-makers to the threat after its discovery.

Microsoft and Firefox developer Mozilla subsequently issued updates which revoke the two wrongly issued intermediate certificates.

The identity of the person using the unauthorised certificate has not been reported, and their intentions are unknown.

This is not the first time that websites and browser makers have had a problem with security certificates. Fake certificates have been issued before now by several other firms and exposed confidential data including login names and passwords.

"It is really time we move on from this 20-year-old, poorly implemented system," wrote Mr Wisniewski. "It doesn't need to be perfect to beat what we have."

More on This Story

Related Stories

The BBC is not responsible for the content of external Internet sites

More Technology stories

RSS

Features & Analysis

BBC Future

(Thinkstock)

‘I freeze people to cheat death’

The man with 100 bodies in his freezer Read more...

Programmes

  • Hitch-hiking robot HitchBOTClick Watch

    Hitch-hiking robot HitchBOT completes a 6,000 km (3,700 mile) trip plus other tech news

BBC © 2014 The BBC is not responsible for the content of external sites. Read more.

This page is best viewed in an up-to-date web browser with style sheets (CSS) enabled. While you will be able to view the content of this page in your current browser, you will not be able to get the full visual experience. Please consider upgrading your browser software or enabling style sheets (CSS) if you are able to do so.