TurkTrust CA certificate breach and what does it mean for you
A pseudo analysis of the issue that was brought to my attention by Eric Klien’s post here. The following text is slightly edited version of my comment on the post, reproduced here because I think its important for my readers to be aware of the issue.
A new CA kerfuffle has broken out yesterday, and here are some of the headlines:
- Google detects fake website ID certificate threat
- Fake Turkish site certs create threat of bogus Google sites
The information for the discussion below was sourced from these, more technical, articles1:
- Rogue Google SSL certificate not used for dishonest purposes, Turktrust says
- SSL Certificate Authority Puts Google at Risk (Again)
- Errant Google Domain Traced To CA’s Mistakes
To summarize, the problem was a botched test process in TurkTrust CA (as part of an external security audit) that caused a CA profile to be set up to generate “sub CA” certificates, and following that the profile was copied to the production system and subsequently used to generate two certificates before the problem was discovered and fixed (I assume the test profile was removed from the production system), but only 1 of those certificate was revoked. (more…)
- I applaud BBC for trying to present a complex security issue in “layman terms”, but as someone who is familiar with the technology in question, it gave me quite a headache, trying to “reverse translate” the text [↩]