TurkTrust CA certificate breach and what does it mean for you
A pseudo analysis of the issue that was brought to my attention by Eric Klien’s post here. The following text is slightly edited version of my comment on the post, reproduced here because I think its important for my readers to be aware of the issue.
A new CA kerfuffle has broken out yesterday, and here are some of the headlines:
- Google detects fake website ID certificate threat
- Fake Turkish site certs create threat of bogus Google sites
The information for the discussion below was sourced from these, more technical, articles1:
- Rogue Google SSL certificate not used for dishonest purposes, Turktrust says
- SSL Certificate Authority Puts Google at Risk (Again)
- Errant Google Domain Traced To CA’s Mistakes
To summarize, the problem was a botched test process in TurkTrust CA (as part of an external security audit) that caused a CA profile to be set up to generate “sub CA” certificates, and following that the profile was copied to the production system and subsequently used to generate two certificates before the problem was discovered and fixed (I assume the test profile was removed from the production system), but only 1 of those certificate was revoked.
The second certificate was used benignly for about a year before some smart-ass IT guy in a Turkish government agency2 discovered the “interesting” certificate and installed it in a Checkpoint firewall product that has an “HTTPS inspection” feature (read about it in this Checkpoint FAQ). This feature, when installed with a CA certificate, will cause the firewall to intercept any HTTPS traffic, generate on the fly a new certificate for the target web site and perform a “man in the middle” attack on the connection. This problem was detected because Google Chrome “protects” Google’s web sites by detecting this exact attack against Google’s certificates and will raise alarm bells in Google HQ.
Likely there was no malicious intent in the attack – just some jerk who thought it is a good laugh. That being said, the capability discussed here is available to everyone – if you work in a company and use an IT provided operating system, IT could have pre-installed their own self-signed CA certificate on your computer and can have all your HTTPS traffic tracked without your knowledge. This may even be legitimate in some countries.
The only way to detect if this is the case is to get an installation of Google Chrome directly from Google and use it to access GMail or something like that – if IT is snooping on you, your browser will warn you. But this only works for Google’s web sites – if IT has decided to monitor everything except Google, then your Google traffic may be safe – but anything else will not be.