New year and new CA compromised

Published: 2013-01-03
Last Updated: 2013-01-03 22:27:29 UTC
by Manuel Humberto Santander Pelaez (Version: 1)
2 comment(s)

In december 24 2012, google detected a non-authorized certificate for the domain. After investigations, it was confirmed that Turktrust Inc incorrectly created two subsidiary certificate authorities:  *.EGO.GOV.TR and The first one was used to create the  fraudulent domain certificate detected by Google Chrome. This is a big problem since intermediate CA certificates carry the full authority of the CA and therefore they can be used to create a certificate for any website the attacker wish to impersonate.

As a result of this problem, Mozilla is revoking starting January 8 the trust to both certificates, Microsoft issued the security advisory 2798897, publishing updates to revoke the fake certificate and the two intermediate certification authorities and Google revoked same certs in Google Chrome in december 25 and 26 2012 updates.

SSL and X.509 has been proven weak as a standalone security control and definitely should be used with other strong authentication controls like One Time Password tokens. You can use other vendors like Vasco, Safenet and, of course, RSA. Despite all attacks and intrusions from previous years, they are still a very good reliable solution.

Manuel Humberto Santander Peláez
SANS Internet Storm Center - Handler
e-mail: msantand at isc dot sans dot org

2 comment(s)


The 3 certificates can easily be imported into the registry in the untrusted certificates store.
See my blogpost

You should take a look at the long list of SANs in the * certificate!

Matthijs Wijers
Schuberg Philis
Lets just fix SSL ourselves:

'nuff said ?

Dom De Vitto

Diary Archives