Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC: InfoSec Handlers Diary Blog - New year and new CA compromised InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

New year and new CA compromised

Published: 2013-01-03
Last Updated: 2013-01-03 22:27:29 UTC
by Manuel Humberto Santander Pelaez (Version: 1)
2 comment(s)

In december 24 2012, google detected a non-authorized certificate for the google.com domain. After investigations, it was confirmed that Turktrust Inc incorrectly created two subsidiary certificate authorities:  *.EGO.GOV.TR and e-islam.kktcmerkezbankasi.org. The first one was used to create the  fraudulent google.com domain certificate detected by Google Chrome. This is a big problem since intermediate CA certificates carry the full authority of the CA and therefore they can be used to create a certificate for any website the attacker wish to impersonate.

As a result of this problem, Mozilla is revoking starting January 8 the trust to both certificates, Microsoft issued the security advisory 2798897, publishing updates to revoke the fake google.com certificate and the two intermediate certification authorities and Google revoked same certs in Google Chrome in december 25 and 26 2012 updates.

SSL and X.509 has been proven weak as a standalone security control and definitely should be used with other strong authentication controls like One Time Password tokens. You can use other vendors like Vasco, Safenet and, of course, RSA. Despite all attacks and intrusions from previous years, they are still a very good reliable solution.

Manuel Humberto Santander Peláez
SANS Internet Storm Center - Handler
Twitter:@manuelsantander
Web:http://manuel.santander.name
e-mail: msantand at isc dot sans dot org

2 comment(s)
Diary Archives