by Damon Poeter
Aug 30, 2011
A forged Web certificate for Google.com that provides the means to impersonate Gmail and other Google properties has been published online, according to media reports on Monday.
The counterfeit certificate is "valid for *.google.com, giving its unknown holders the means to mount transparent attacks on a wide range of Google users who access pages on networks controlled by the counterfeiters," according to The Register.
The encryption keys were apparently pilfered from an SSL certificate issued on July 10 by DigiNotar, a legitimate certification authority (CA) based in The Netherlands and owned by secure token vendor VASCO Data Security, according to reports. Such certificates are issued for websites and used in conjunction with the secure sockets layer, or SSL cryptographic protocol that secures communications across the Internet.
The SSL and Transport Layer Security (TLS) protocols allow client/server applications to communicate across networks while preventing third parties, including the network owners, from tapping into and eavesdropping on that communication. The use of a legitimate-looking certificate could be used to trick Internet users into revealing personal information like usernames and passwords, or even for intercepting and tampering with communications.
DigiNotar and other CAs issue digital certificates that validate the link between a public key and the CA-vouched identity of the individual, company, server or other entity named in the certificate. Critics of the SSL system say it has too many vulnerabilities, particularly in its reliance on CAs of varying track records to validate that certificate seekers are really who they say they are.
Internet users in Iran have reportedly encountered the forged certificate, with one Iranian user who first drew attention to its existence claiming that the certificate turned up while logging into Gmail from Google's Chrome browser.
Google said Monday it would block sites with certificates signed by DigiNotar pending the results of an investigation. The search giant claimed a new security feature included in its Chrome browser was what identified the bogus cert and alerted the Iranian user to its existence.
Mozilla said in a statement that DigiNotar had revoked the fraudulent certificate, "which should protect most users," but that it would still issue updates to its Firefox browsers. The company also posted instructions for manually disabling the DigiNotar root in Firefox.
It wasn't clear what damage, if any, had been caused by the counterfeit digital certificate to date.