Google says that someone was caught trying to use an unauthorized digital certificate issued in its name in an attempt to impersonate Google.com for a man-in-the-middle attack.
Google revealed in a blog post Thursday that its Chrome web browser detected the certificate being used late on the evening of Dec. 24 and immediately blocked it.
The unauthorized certificate was created after a Trusted Root certificate authority in Turkey, Turktrust, issued intermediate Certificate Authority certificates to two entities last year that should not have received them. Turktrust told Google that it issued the two CA certificates by mistake, inadvertently giving the two entities certificate authority status.
With CA status, the two entities could then generate digital certificates, like a trusted certificate authority, for any domain. These digital certificates could then be misused to intercept traffic intended for that domain in order to steal log-in credentials or read communication.
Google did not identify the two entities who were issued CA certificates, but Microsoft identified them in a blog post as *.EGO.GOV.TR, a Turkish government agency that operates buses and other public transportation in that country, and http://e-islam.kktcmerkezbankasi.org, a domain that does not currently resolve to anything.
The unauthorized Google.com certificate was generated under the *.EGO.GOV.TR certificate authority and was being used to man-in-the-middle traffic on the *.EGO.GOV.TR network. Google’s spokesman said the unauthorized Google certificate was created sometime in early December, fourteen months after Turktrust issued the CA certificate to *.EGO.GOV.TR.
The *.google.com certificate, a so-called wild-card certificate, would have allowed whoever was using it to intercept and read any communication that passed from users on the *.EGO.GOV.TR network to any google.com domain, including encrypted Gmail traffic.
Google engineers have updated Chrome’s revocation list to block any other unauthorized certificates that might have been issued by the two companies. Google also notified Microsoft and Mozilla so that they could update their browsers to block certificates from these companies. Mozilla said in a blog post that it was also suspending Turktrust from inclusion in its trusted root certificate list pending further investigation into how the mixup occurred.