Google exposed by fraudulent certificate

Update: A fraudulent digital certificate has circulated for 40 days that allowed attackers to impersonate and steal Google accounts including Gmail.

Dutch company DigiNotar issued the fraudulent *google.com certificate early last month.

The certificate was revoked this morning.

The news first appeared on a Google forum where Iran-based user Alibo reported that Chrome had flagged a certificate warning when Gmail was accessed.

Google Chrome and Mozilla Firefox have since banned DigiNotar certificates.

Hours ago Microsoft issued a security advisory stating that it had removed the DigiNotar root certificate from its Certificate Trust List.

"Websites with certificates issued by DigiNotar will no longer be trusted by Windows Vista and newer versions. This protection is automatic and no customer action is required."

 Alibo speculated that the fraudulent certificiate was issued by the Iranian Government.

"This CA should receive an internet death sentence as their carelessness may have resulted in deaths in Iran,” said an anonymous post which examined the certificate.

It was the second time in five months that Google was compromised by fraudulent digital certificates. In March, an Iranian man claimed responsibility for issuing fraudulent certificates for Google, Yahoo, Skype and Hotmail from Comodo.

The breach strikes at the heart of the flawed digital certificate model. Security experts have voiced concerns about the model - which trusts more than 650 certificate authorities and all major governments to validate the security of websites.

“A single site operator deciding who all their users are required to trust, particularly in this globalised world, doesn't feel quite right when it's the user's data — not the site operator's — that's at risk,” security researcher Moxie Marlinspike said.

“At the moment, if I decide that I don't trust VeriSign or Comodo or any other CA (Certificate Authority), what can I do? The very best I could do would be to remove the offending CA's certificate from my trusted CA database, but then some large percentage of secure sites I visit would break.”

Marlinspike launched the Convergence project at the DefCon conference this month which serves as a crowdsourced alternative to the hierarchical certificate trust model.

Updated at 4:54 with comment from Microsoft.

Copyright © SC Magazine, Australia