Google exposed by fraudulent certificate

Powered by SC Magazine

Dutch company revokes bad certificate.

Update: A fraudulent digital certificate has circulated for 40 days that allowed attackers to impersonate and steal Google accounts including Gmail.

Dutch company DigiNotar issued the fraudulent * certificate early last month.

The certificate was revoked this morning.

The news first appeared on a Google forum where Iran-based user Alibo reported that Chrome had flagged a certificate warning when Gmail was accessed.

Google Chrome and Mozilla Firefox have since banned DigiNotar certificates.

Hours ago Microsoft issued a security advisory stating that it had removed the DigiNotar root certificate from its Certificate Trust List.

"Websites with certificates issued by DigiNotar will no longer be trusted by Windows Vista and newer versions. This protection is automatic and no customer action is required."

 Alibo speculated that the fraudulent certificiate was issued by the Iranian Government.

"This CA should receive an internet death sentence as their carelessness may have resulted in deaths in Iran,” said an anonymous post which examined the certificate.

It was the second time in five months that Google was compromised by fraudulent digital certificates. In March, an Iranian man claimed responsibility for issuing fraudulent certificates for Google, Yahoo, Skype and Hotmail from Comodo.

The breach strikes at the heart of the flawed digital certificate model. Security experts have voiced concerns about the model - which trusts more than 650 certificate authorities and all major governments to validate the security of websites.

“A single site operator deciding who all their users are required to trust, particularly in this globalised world, doesn't feel quite right when it's the user's data — not the site operator's — that's at risk,” security researcher Moxie Marlinspike said.

“At the moment, if I decide that I don't trust VeriSign or Comodo or any other CA (Certificate Authority), what can I do? The very best I could do would be to remove the offending CA's certificate from my trusted CA database, but then some large percentage of secure sites I visit would break.”

Marlinspike launched the Convergence project at the DefCon conference this month which serves as a crowdsourced alternative to the hierarchical certificate trust model.

Updated at 4:54 with comment from Microsoft.

Copyright © SC Magazine, Australia

Google exposed by fraudulent certificate
Top Stories
Turnbull introduces data retention legislation
Still no definition of metadata to be stored.
Images: the next frontier in data analytics?
Barclay’s global data chief says we’re still at the starting line.
Crime Commission prepares core systems overhaul
Will replace 30 year-old national criminal database.
Sign up to receive iTnews email bulletins
Latest Comments
In which area is your IT shop hiring the most staff?

   |   View results
IT security and risk
Sourcing and strategy
IT infrastructure (servers, storage, networking)
End user computing (desktops, mobiles, apps)
Software development

Would your InfoSec team be prepared to share threat data with the Australian Government?

   |   View results