Google exposed by fraudulent certificate

Powered by SC Magazine
 

Dutch company revokes bad certificate.

Update: A fraudulent digital certificate has circulated for 40 days that allowed attackers to impersonate and steal Google accounts including Gmail.

Dutch company DigiNotar issued the fraudulent *google.com certificate early last month.

The certificate was revoked this morning.

The news first appeared on a Google forum where Iran-based user Alibo reported that Chrome had flagged a certificate warning when Gmail was accessed.

Google Chrome and Mozilla Firefox have since banned DigiNotar certificates.

Hours ago Microsoft issued a security advisory stating that it had removed the DigiNotar root certificate from its Certificate Trust List.

"Websites with certificates issued by DigiNotar will no longer be trusted by Windows Vista and newer versions. This protection is automatic and no customer action is required."

 Alibo speculated that the fraudulent certificiate was issued by the Iranian Government.

"This CA should receive an internet death sentence as their carelessness may have resulted in deaths in Iran,” said an anonymous post which examined the certificate.

It was the second time in five months that Google was compromised by fraudulent digital certificates. In March, an Iranian man claimed responsibility for issuing fraudulent certificates for Google, Yahoo, Skype and Hotmail from Comodo.

The breach strikes at the heart of the flawed digital certificate model. Security experts have voiced concerns about the model - which trusts more than 650 certificate authorities and all major governments to validate the security of websites.

“A single site operator deciding who all their users are required to trust, particularly in this globalised world, doesn't feel quite right when it's the user's data — not the site operator's — that's at risk,” security researcher Moxie Marlinspike said.

“At the moment, if I decide that I don't trust VeriSign or Comodo or any other CA (Certificate Authority), what can I do? The very best I could do would be to remove the offending CA's certificate from my trusted CA database, but then some large percentage of secure sites I visit would break.”

Marlinspike launched the Convergence project at the DefCon conference this month which serves as a crowdsourced alternative to the hierarchical certificate trust model.

Updated at 4:54 with comment from Microsoft.

Copyright © SC Magazine, Australia


Google exposed by fraudulent certificate
 
 
 
Top Stories
ANZ looks to life beyond the transaction
If digital disruptors think an online payments startup could rock the big four, they’ve missed the point of why people use banks, says Patrick Maes.
 
What InfoSec can learn from the insurance industry
[Blog post] Another way data breach laws could help manage risk.
 
A ten-point plan for disrupting security
[Blog post] How can you defend the perimeter when it’s in the cloud?
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
What is delaying adoption of public cloud in your organisation?







   |   View results
Lock-in concerns
  29%
 
Application integration concerns
  3%
 
Security and compliance concerns
  27%
 
Unreliable network infrastructure
  9%
 
Data sovereignty concerns
  21%
 
Lack of stakeholder support
  3%
 
Protecting on-premise IT jobs
  4%
 
Difficulty transitioning CapEx budget into OpEx
  3%
TOTAL VOTES: 1047

Vote