Turkish government dept issues fake digital certificate for Google sites
Fraudulent digital certificate could be used in man in the middle attacks on Google domains
Microsoft has warned of a fraudulent digital certificate for all Google domains, which was accidentally issued by a Turkish government department.
The Turkish certificate authority Turktrust incorrectly created two subsidiary Certificate Authorities, *.EGO.GOV.TR and e-islem.kktcmerkezbankasi.org, with the *.EGO.GOV.TR creating a fraudulent digital certificate for *.google.com.
The fraudulent certificate could have been used to intercept SSL traffic as part of a ‘man in the middle' attack, which would spoof Google's encryption certificate and decrypt secure Web sessions to Google Plus and Gmail. Turktrust officials said that there is no evidence that the certificate was used for illicit purposes or that the Turktrust's security was breached.
Microsoft has removed the certificate from its Certificate Trust List, which will mean users of Windows Vista and later who have installed the feature will be protected, but users of Windows XP will have to manually remove the certificate from trusted lists. Google's Chrome security team has also pushed out an update of the browser's certificate revocation metadata to block certificates from the subsidiary CA.