Turkish government dept issues fake digital certificate for Google sites

Fraudulent digital certificate could be used in man in the middle attacks on Google domains

Tags: Google IncorporatedMicrosoft CorporationTurkey
  • E-Mail
Turkish government dept issues fake digital certificate for Google sites Turktrust officials said that there is no evidence that the certificate was used for illicit purposes.
By  Mark Sutton Published  January 6, 2013

Microsoft has warned of a fraudulent digital certificate for all Google domains, which was accidentally issued by a Turkish government department.

The Turkish certificate authority Turktrust incorrectly created two subsidiary Certificate Authorities, *.EGO.GOV.TR and e-islem.kktcmerkezbankasi.org, with the *.EGO.GOV.TR creating a fraudulent digital certificate for *.google.com.

The fraudulent certificate could have been used to intercept SSL traffic as part of a ‘man in the middle' attack, which would spoof Google's encryption certificate and decrypt secure Web sessions to Google Plus and Gmail. Turktrust officials said that there is no evidence that the certificate was used for illicit purposes or that the Turktrust's security was breached.

Microsoft has removed the certificate from its Certificate Trust List, which will mean users of Windows Vista and later who have installed the feature will be protected, but users of Windows XP will have to manually remove the certificate from trusted lists. Google's Chrome security team has also pushed out an update of the browser's certificate revocation metadata to block certificates from the subsidiary CA.

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code