Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: New year and new CA compromised - SANS Internet Storm Center SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
New year and new CA compromised

In december 24 2012, google detected a non-authorized certificate for the domain. After investigations, it was confirmed that Turktrust Inc incorrectly created two subsidiary certificate authorities:  *.EGO.GOV.TR and The first one was used to create the  fraudulent domain certificate detected by Google Chrome. This is a big problem since intermediate CA certificates carry the full authority of the CA and therefore they can be used to create a certificate for any website the attacker wish to impersonate.

As a result of this problem, Mozilla is revoking starting January 8 the trust to both certificates, Microsoft issued the security advisory 2798897, publishing updates to revoke the fake certificate and the two intermediate certification authorities and Google revoked same certs in Google Chrome in december 25 and 26 2012 updates.

SSL and X.509 has been proven weak as a standalone security control and definitely should be used with other strong authentication controls like One Time Password tokens. You can use other vendors like Vasco, Safenet and, of course, RSA. Despite all attacks and intrusions from previous years, they are still a very good reliable solution.

Manuel Humberto Santander Peláez
SANS Internet Storm Center - Handler
e-mail: msantand at isc dot sans dot org

Manuel Humberto Santander Pelaacuteez

195 Posts
ISC Handler
Jan 3rd 2013
The 3 certificates can easily be imported into the registry in the untrusted certificates store.
See my blogpost

You should take a look at the long list of SANs in the * certificate!

Matthijs Wijers
Schuberg Philis

2 Posts
Lets just fix SSL ourselves:

'nuff said ?

Dom De Vitto

45 Posts

Sign Up for Free or Log In to start participating in the conversation!