Google exposed by fraudulent certificate

Powered by SC Magazine

Dutch company revokes bad certificate.

Update: A fraudulent digital certificate has circulated for 40 days that allowed attackers to impersonate and steal Google accounts including Gmail.

Dutch company DigiNotar issued the fraudulent * certificate early last month.

The certificate was revoked this morning.

The news first appeared on a Google forum where Iran-based user Alibo reported that Chrome had flagged a certificate warning when Gmail was accessed.

Google Chrome and Mozilla Firefox have since banned DigiNotar certificates.

Hours ago Microsoft issued a security advisory stating that it had removed the DigiNotar root certificate from its Certificate Trust List.

"Websites with certificates issued by DigiNotar will no longer be trusted by Windows Vista and newer versions. This protection is automatic and no customer action is required."

 Alibo speculated that the fraudulent certificiate was issued by the Iranian Government.

"This CA should receive an internet death sentence as their carelessness may have resulted in deaths in Iran,” said an anonymous post which examined the certificate.

It was the second time in five months that Google was compromised by fraudulent digital certificates. In March, an Iranian man claimed responsibility for issuing fraudulent certificates for Google, Yahoo, Skype and Hotmail from Comodo.

The breach strikes at the heart of the flawed digital certificate model. Security experts have voiced concerns about the model - which trusts more than 650 certificate authorities and all major governments to validate the security of websites.

“A single site operator deciding who all their users are required to trust, particularly in this globalised world, doesn't feel quite right when it's the user's data — not the site operator's — that's at risk,” security researcher Moxie Marlinspike said.

“At the moment, if I decide that I don't trust VeriSign or Comodo or any other CA (Certificate Authority), what can I do? The very best I could do would be to remove the offending CA's certificate from my trusted CA database, but then some large percentage of secure sites I visit would break.”

Marlinspike launched the Convergence project at the DefCon conference this month which serves as a crowdsourced alternative to the hierarchical certificate trust model.

Updated at 4:54 with comment from Microsoft.

Copyright © SC Magazine, Australia

Google exposed by fraudulent certificate
Top Stories
Westpac interim CIO resigns
Group CIO yet to be appointed.
Five emerging technologies that will transform financial services
[Blog post] Far out ideas that aren't far off.
Earning the right to innovate
Breaking down the barriers to innovation is a long, but rewarding process, says Bank of Queensland Group CIO, Julie Bale.
Sign up to receive iTnews email bulletins
Latest Comments
What is delaying adoption of public cloud in your organisation?

   |   View results
Lock-in concerns
Application integration concerns
Security and compliance concerns
Unreliable network infrastructure
Data sovereignty concerns
Lack of stakeholder support
Protecting on-premise IT jobs
Difficulty transitioning CapEx budget into OpEx