November 27, 2014

In Brief: Microsoft, Google and Mozilla all block digital certificate issued by intermediate certificate authority of TURKTRUST

turktrust_logo(LiveHacking.Com) –  Microsoft, Google and Mozilla have all removed the trust of certificates issued by an intermediate certificate authority (CA) linking back to TURKTRUST Inc. What has happened is that TURKTRUST Inc. incorrectly created two subsidiary CAs (*.EGO.GOV.TR and e-islem.kktcmerkezbankasi.org), the first of which was used to issue a fraudulent digital certificate for *.google.com.

Intermediate CA certificates carry the same authority as CA, so anyone who has one can use it to create a certificate for any website. Fraudulent certificate can be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks.

“TURKTRUST told us that based on our information, they discovered that, in August 2011, they had mistakenly issued two intermediate CA certificates to organizations that should have instead received regular SSL certificates,” wrote Google.

Google is also considering an update to Chrome which will no longer indicate Extended Validation status for certificates issued by TURKTRUST. Mozilla has suspended the TURKTRUST root certificate. TURKTRUST subsequently asked Mozilla to include a newer root certificate and their request was initially approved. However, due to the mis-issued  intermediate CA certificates, Mozilla has decided to suspend inclusion of the new root certificate for now.

Share and Enjoy:
  • Print
  • Digg
  • StumbleUpon
  • del.icio.us
  • Facebook
  • Yahoo! Buzz
  • Twitter
  • Google Bookmarks