Skip to main content

False Google certificate causes security panic

A Netherlands-based certificate authority has been tricked into issuing a wildcard certificate for Google's primary domain to a third party, in an attack believed to be designed to sniff on the traffic of Iranian dissidents.

DigiNotar is a valid certificate authority, trusted by every browser under the sun to do due diligence on its clients - to ensure they own the domain in question - before issuing an SSL certificate. Unfortunately, that due diligence failed when it issued an as-yet unknown third party a valid certificate for, the advertising giant's primary domain.

That certificate, signed by DigiNotar's trusted root key and believed to have been in the wild for over five weeks, shows up as valid in every single browser available today - meaning that attackers can use it to spoof Google services without any suspicious certificate errors warning users that they might be under attack.

To prevent man-in-the-middle attacks, certificates need to be issued by a registered certificate authority. Although it's certainly possible for anybody to download a copy of OpenSSL and issue themselves a certificate for any domain, the use of such 'self-signed' certificates will generate a warning when accessed in a browser. Because DigiNotar is a valid and trusted certificate authority, that warning never appears.

While details of the attack are still vague, multiple Iranian bloggers have reported seeing strange routing for their access to Gmail, Google's webmail service, with traffic being encrypted to the false certificate instead of Google's own. Although unproven, suggestions have been raised that the attack has come from the Iranian government itself in efforts to keep tabs on political dissidents.

The certificate could, however, find its way out into the wild and into even less salubrious hands: as a wildcard certificate, it's valid for all domains under - including the company's Checkout service, which handles customer credit card transactions for purchases on the Android Market.

DigiNotar itself has revoked the certificate, and browser makers are going a step further with Mozilla issuing updates to its Firefox and Thunderbird products, Google to its Chrome browser, and Microsoft to its Internet Explorer browser with the certificate forcibly removed. More advanced users - and those impatient for protection - are advised to read up on how to manually revoke certificates in their particular browsers.

Thus far, DigiNotar has not responded to requests for comment on the revoked certificate, and it is not known whether the certificate was legitimately issued to a customer who had fraudulently pretended to be Google or if the authority suffered a more worrying attack which has resulted in third parties gaining access to its root signing keys.