Google finds unauthorized certificate for google.com domain, scrambles to protect users

The company updated its Chrome browser and notified other browser makers about the problem

Google has taken steps to close potential security holes created by a fraudulent certificate for its google.com domain, discovered in late December.

The certificate was erroneously issued by an intermediate certificate authority (CA) linking back to TurkTrust, a Turkish CA.

"Intermediate CA certificates carry the full authority of the CA, so anyone who has one can use it to create a certificate for any website they wish to impersonate," wrote Adam Langley, a Google software engineer, in a blog post Thursday.

Google detected the existence of the certificate on Christmas Eve, updated its Chrome browser the next day to block the intermediate CA and notified TurkTrust and other browser makers about the problem.

TurkTrust then conducted its own investigation and found out that in August 2011 it had mistakenly issued two intermediate CA certificates to organizations that should have instead received regular SSL certificates, according to Langley.

Google then updated Chrome again to block the second CA certificate and again notified other browser vendors.

"Our actions addressed the immediate problem for our users. Given the severity of the situation, we will update Chrome again in January to no longer indicate Extended Validation status for certificates issued by TurkTrust, though connections to TurkTrust-validated HTTPS servers may continue to be allowed," Langley wrote.

Google may take additional steps in reaction to this issue, he added.

A Google spokesman said via e-mail that although TurkTrust mistakenly issued two intermediate certificates, only one was used to generate an unauthorized certificate.

"We believe there was one case of the certificate being used internally on a company's network," the spokesman said.

Juan Carlos Perez covers enterprise communication/collaboration suites, operating systems, browsers and general technology breaking news for The IDG News Service. Follow Juan on Twitter at @JuanCPerezIDG.

Tags: Google, applications, security, browsers, software

Heartbleed bug is irritating McAfee, Symantec, Kaspersky Lab

READ THIS ARTICLE
MORE IN Mobile Security
DO NOT SHOW THIS BOX AGAIN [ x ]
Comments are now closed.
CSO Corporate Partners
  • Webroot
  • Trend Micro
  • NetIQ
rhs_login_lockGet exclusive access to CSO, invitation only events, reports & analysis.
CSO Directory

Open Space Security Suite

Kaspersky Open Space Security provides complete business protection in a single integrated suite of applications that work seamlessly across all platforms.

Latest Jobs
Security Awareness Tip

Incident handling is a vast topic, but here are a few tips for you to consider in your incident response. I hope you never have to use them, but the odds are at some point you will and I hope being ready saves you pain (or your job!).


  1. Have an incident response plan.

  2. Pre-define your incident response team 

  3. Define your approach: watch and learn or contain and recover.

  4. Pre-distribute call cards.

  5. Forensic and incident response data capture.

  6. Get your users on-side.

  7. Know how to report crimes and engage law enforcement. 

  8. Practice makes perfect.

For the full breakdown on this article

Security ABC Guides

Warning: Tips for secure mobile holiday shopping

I’m dating myself, but I remember when holiday shopping involved pouring through ads in the Sunday paper, placing actual phone calls from tethered land lines to research product stock and availability, and actually driving places to pick things up. Now, holiday shoppers can do all of that from a smartphone or tablet in a few seconds, but there are some security pitfalls to be aware of.