Microsoft just publicly announced a release to actively “untrust” three certificates issued by Certificate Authority TURKTRUST and its Intermediate CAs, a subsidiary of the Turkish Armed Forces ELELE Foundation Company. According to Microsoft, the company made a couple major mistakes resulting in fraudulent certificate issuance that could be used to MiTM encrypted communications or spoof gmail and a long list of other google properties. A Chrome installation detected a “an unauthorized digital certificate for the “*.google.com” domain” late the night of Dec. 24th 2012, and the Google security team’s investigation began there.
TURKTRUST’s mistakes included issuing two certificates incorrectly. They created digital certificates for *.EGO.GOV.TR and e-islem.kktcmerkezbankasi.org. Both of these certs lacked CRL or OCSP extensions and were incorrectly issued as end-entity certs. These mistakes enabled the *.EGO.GOV.TR authority to be misused and fraudulently issue a certificate for *.google.com. Microsoft is not only issuing fixes for this CA trust problem, but including known CA fixes in the recent past.
This list of Google properties are fixed by the release:
The release may cause some confusion. The vendors are handling the incident differently – the three certificates that are being “untrusted” by Microsoft do not include the TURKTRUST Trusted Root CA certificate itself. But the certificates for the two intermediate authorities are effected, as is the fraudulent Google property certificate. Also adding to the confusion is the fact that some systems seem to have TURKTRUST certificates included as a Trusted Root Certificate Authority on their Windows system, but others do not. This inclusion has to do with the ways in which Microsoft updates their root certificate stores on newer systems vs. older Windows OS systems. Microsoft provides a knowledge base article that presents all of the gory details on Microsoft Root Certificate updates. Just follow the link and go to the section “How Windows Updates Root Certificates”, where you will find information on both Windows Vista and Windows 7, on Windows XP and its manual update root package, and on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2 OS systems. To sum it up, most users that do not visit web sites in the Middle East, especially Turkey and Cyprus, will not have the TURKTRUST Trusted Root CA certificate installed on their system (although Google did not disclose the location of the detected fraudulent certificate). So, for the most part, this release does not directly effect their system. Also, most helpful here is the automatic updater of revoked certificates released by Microsoft back in June, available for Windows Vista Service Pack 2, Windows Server 2008 Service Pack 2, Windows 7, and Windows Server 2008 R2.
Both Mozilla and Google posted information about the problem. Google pushed Chrome’s certificate revocation metadata on December 24th and 25th to block both of the Intermediate Certificate Authority certificates. An ongoing discussion exists over at the mozilla.dev.security.policy group. It appears that Mozilla is the only vendor of the three to altogether suspend trust in the TURKTRUST root CA cert: “We have also suspended inclusion of the “TURKTRUST Bilgi Yleti?im ve Bili?im Guvenli?i Hizmetleri A.?. (c) Aralyk 2007″ root certificate, pending further review”. Please see the long list of links at the right side of the page for more information from the vendors and posts on past CA issues.
Leave a reply