Google detects fake website ID certificate threat

Updated on: 2013-01-06 || Source: bbc.com

 

Web browser makers have rushed to fix a security lapse that could have allowed cyber thieves to impersonate Google+

The loophole involved an exploit of ID credentials that browsers use to ensure a website is who it claims to be.

By using fake credentials, criminals could have created a website that purported to be part of the Google+ social media network.

The fake ID credentials have been traced back to Turkish security firm TurkTrust which mistakenly issued them.

TurkTrust said there was no evidence the data had been used for dishonest purposes.

Secure code

An investigation by TurkTrust revealed that in August 2011 it twice accidentally issued the wrong type of security credential, a form of identification known as an intermediate certificate.

Instead of issuing low level certificates it mistakenly gave out what amounted to "master keys" which could have allowed a bogus site to pretend it was the legitimate version without triggering a warning.

"An intermediate certificate is essentially a master key that can create certificates for any domain name," explained security analyst Chester Wisniewski from Sophos in a blogpost about the security lapse.

"These certificates could be used to impersonate any website to any browser without the end user being alerted that anything is wrong."

The certificates are important, he said, because secure use of web shops and other services revolve around interaction between the "master keys" and the lower level security credentials.

The lapse was spotted when automatic checks built into Google's Chrome browser noticed someone was using the program with an unauthorised certificate for the "*.google.com" domain.

Had this not been detected the person could have gone onto to impersonate Google+, Gmail and other services run by the US firm.

The danger would have been that they could then have staged a man-in-the middle attack. This would have involved them relaying targeted users' communications to the real Google services and passing on the responses. By doing this they could have eavesdropped on potentially sensitive messages.

Google said it alerted other browser-makers to the threat after its discovery.

Microsoft and Firefox developer Mozilla subsequently issued updates which revoke the two wrongly issued intermediate certificates.

The identity of the person using the unauthorised certificate has not been reported, and their intentions are unknown.

This is not the first time that websites and browser makers have had a problem with security certificates. Fake certificates have been issued before now by several other firms and exposed confidential data including login names and passwords.

"It is really time we move on from this 20-year-old, poorly implemented system," wrote Mr Wisniewski. "It doesn't need to be perfect to beat what we have."

News

Blackphone 2 'privacy' Android handset revamped
Security firm Silent Circle has revamped its smartphone that helps people manage personal data.
Chinese smartphones mount massive web attack
More than 650,000 Chinese smartphones have been unwittingly enrolled in a massive attack that overwhelmed a web
Hilton investigates hack claims
The Hilton hotel group has said it is investigating claims its US shops and gift stores may be the source of
Twitter website 'blocked' in Turkey
Twitter users in Turkey report that the social media site has been blocked in the country.

SIGN UP FOR NEWSLETTER

Sign up to received our free newsletter!
Name:
E-mail ID:

MOST READ

Views: 4963 Times
Create a realistic folded paper text in Photoshop READ MORE
Views: 2550 Times
China┬┤s Huawei and ZTE deny getting illegal subsidy READ MORE
Views: 2642 Times
EU proposes new cybercrime reporting rules READ MORE
Views: 5258 Times
Download Ubuntu Secure Remix 12.04 READ MORE
Views: 7094 Times
How To Hack Windows Password READ MORE

Home|IT News|Computer Tips|Video Tutorials|Download Softwares|Subjects|Contact Us
Copyright © 2018. Jumbo Education (Information Technology). All rights reserved.
Free counter and web stats

Large Visitor Globe