Tuesday29 November 2022

A Google SSL Cert issued to... Someone that was not Google

Reading time is around minutes.

Not that long ago Microsoft was the victim of an incorrectly assigned certificate. This was issued to more than just Microsoft and caused some havoc with a few firewalls (like Microsoft’s ISA) that check for security certificate validity. Because of the malformed Cert people were not able to get to Hotmail and other secure Microsoft sites or they received an error saying the certificate could not be trusted. Microsoft quickly remedied the issue, but it had an impact.  

certNow we see something similar has happened to Google. A Dutch certificate service by the name of DigiNotar issued a certificate for to a company that is certainly not Google. The response has been immediate with companies stating that they are going to release patches that will revoke the DigiNotar trust (which is not found in many US systems but is big in Europe apparently.

Some are attributing this attack to the Iranian Government or others inside Iran. This is mostly due to the Comodo issue that happened a few months ago that was claimed by an Iranian Patriot. However, there is no evidence that this was the case this time this could be the work of others, but it does illustrate a fundamental flaw with Security Certificates.  You see as it stands right now a third party is responsible for verification and issuance of the certificate that proves that a website is how it claims it is. It is not all that hard to intercept the confirmation notices in reality. It is also possible that some companies (there are well over 600 Certificate Authorities now) are unscrupulous enough that they might sell off the master keys to a site so that someone could produce their own certificates.

In short there needs to be a serious overhaul of this system to protect against the increasingly sophisticated attacks that are happening on the web.

Discuss in our Forum

Last modified on Monday, 29 August 2011 20:13

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.