Home / / Turkish government dept issues fake digital certificate for Google sites

Turkish government dept issues fake digital certificate for Google sites

Fraudulent digital certificate could be used in man in the middle attacks on Google domains

Turkish government dept issues fake digital certificate for Google sites
Turktrust officials said that there is no evidence that the certificate was used for illicit purposes.

Microsoft has warned of a fraudulent digital certificate for all Google domains, which was accidentally issued by a Turkish government department.

The Turkish certificate authority Turktrust incorrectly created two subsidiary Certificate Authorities, *.EGO.GOV.TR and e-islem.kktcmerkezbankasi.org, with the *.EGO.GOV.TR creating a fraudulent digital certificate for *.google.com.

The fraudulent certificate could have been used to intercept SSL traffic as part of a ‘man in the middle' attack, which would spoof Google's encryption certificate and decrypt secure Web sessions to Google Plus and Gmail. Turktrust officials said that there is no evidence that the certificate was used for illicit purposes or that the Turktrust's security was breached.

Microsoft has removed the certificate from its Certificate Trust List, which will mean users of Windows Vista and later who have installed the feature will be protected, but users of Windows XP will have to manually remove the certificate from trusted lists. Google's Chrome security team has also pushed out an update of the browser's certificate revocation metadata to block certificates from the subsidiary CA.

Follow us to get the most comprehensive IT Security news delivered fresh from our social media accounts on Facebook, Twitter, Youtube, and listen to our Weekly Podcast. Click here to sign up for our weekly newsletter on curated technology news in the Middle East and Worldwide.