Fraudulent Google credential found in the wild

Did counterfeit SSL cert target Iranians?


Security researchers have discovered a counterfeit web certificate for Google.com circulating on the internet that gives attackers the encryption keys needed to impersonate Gmail and virtually every other digitally signed Google property.

The forged certificate was issued on July 10 to digitally sign Google pages protected by SSL, or secure sockets layer. It was issued by DigiNotar, a certificate authority located in the Netherlands. The forged certificate is valid for *.google.com, giving its unknown holders the means to mount transparent attacks on a wide range of Google users who access pages on networks controlled by the counterfeiters.

It's at least the second time in five months that unauthorized parties have gotten hold of valid SSL certificates used to cryptographically prove that a sensitive website is authentic rather than a forgery. In March, hackers broke into the servers of a web-authentication authority and minted valid certificates for Google Mail and six other domains. It took eight days for the counterfeit credentials to be fully blocked from all major browsers, and much longer to be blacklisted from email programs.

The episode exposed serious vulnerabilities in the net's foundation of trust, because in the intervening time it was possible for attackers to create convincing forgeries of trusted services that were almost impossible for people on attacker-controlled networks to detect. The hack was carried out on a reseller of certificate authority Comodo, and came from servers that used an Iranian IP address. Monday's attack appeared to be more of the same.

“This isn't a huge surprise,” Moxie Marlinspike, a researcher and frequent critic of the SSL system said on Monday about the discovery of the latest Google certificate forgery. “This is the kind of thing we should expect is happening all the time. The only thing noteworthy is that anyone noticed.”

Google and Mozilla have responded to the forgery by preparing updates to Chrome, Firefox and other software programs that take the highly unusual step of blocking all certificates issued by DigiNotar while the forgery is being investigated.

According to a post published on Sunday by a user calling himself alibo, the counterfeit certificate surfaced when he tried to log into his Gmail account using the Google Chrome browser.

“I think my ISP or my government did this attack (because I live in Iran and you may hear something about the story of Comodo hacker!)” he wrote.

Alibo's claims that Iranian ISPs including ParsOnline were using the certificate to validate Gmail couldn't be independently confirmed. But the document he published has been verified by researchers as a valid certificate issued on July 10 by DigiNotar that digitally signs all URLs that end in Google.com.

“This CA should receive an internet death sentence as their carelessness may have resulted in deaths in Iran,” an unknown researcher who verified the certificate wrote. “This cert was issued in JULY of 2011 and it is now just a few days before SEPTEMBER. It is being used in the wild against real people in Iran *right* now.”

Indeed, statements issued by Google and Mozilla shortly after this article was first published indicate a growing mistrust of DigiNotar, which in January was acquired by VASCO Data Security, a maker of two-factor tokens and other authentication products.

“While we investigate, we plan to block any sites whose certificates were signed by DigiNotar,” a statement issued by Google announced.

Google credited a security feature recently added to its Chromium browser engine with protecting alibo and bringing the bogus credential to public attention.

Mozilla, meanwhile, said it planned to issue updates for Firefox, Thunderbird and SeaMonkey shortly “that will revoke trust in the DigiNotar root and protect users from this attack.” It invited users who don't want to wait to manually purge the DigiNotar root from their browsers following these instructions.

Representatives from DigiNotar didn't respond to repeated requests for comment.

Marlinspike has recently proposed a new system he calls Convergence for authenticating websites. It allows end users to query parties they trust when validating the SSL certificates provided by websites they encounter. The system, which is enabled through an add-on for Firefox, is designed to eliminate reliance on certificate authorities, which aren't legally or financially accountable to end users and have suffered a variety of security breaches over the years.

Someone relying on Convergence wouldn't have been tricked by the rogue certificate discovered Monday.

“Whoever got this cert seems to have had it since July 10th, almost 40 days!” Melih Abdulhayoglu, CEO of Comodo wrote in an email. “Maybe they already had a good use out of it would be one guess I have. I find it difficult to believe that this is for notoriety, as if it was, then they would publish it immediately after obtaining it.”

Abdulhayoglu said the certificate was revoked on Monday, but that status may not do much to stop any attacks in progress. As Marlinspike demonstrated in 2009, it's trivial for attackers to suppress the error messages returned by revoked certificates, allowing rogue certificates to live on for weeks or months after they are discovered. The only foolproof way to revoke a certificate is to update each browser, email client, and other piece of software accepting SSL certificates to blacklist the counterfeit credential.

That means the certificate could be a threat until patches are issued by all software makers that work with SSL certificates. It's unclear how long that will take.

If it's true that this credential is being used to snoop on Gmail users, there's no telling how long it will take to stop the attack. ®

This post was updated to include comment from Google and Mozilla.

Broader topics


Other stories you might like

  • Another VPN quits India, as government proposes social media censorship powers
    New Delhi now fighting criticism of eroding free speech and privacy with two proposed regulations

    India's tech-related policies continue to create controversy, with fresh objections raised to a pair of proposed regulation packages.

    One of those regulations is the infosec reporting and logging requirements introduced by India's Computer Emergency Response Team (CERT-In) in late April. That package requires VPN, cloud, and numerous other IT services providers to collect customers' personal information and log their activity, then surrender that info to Indian authorities on demand. One VPN provider, ExpressVPN, last week quit India on grounds that its local servers are designed not to record any logs so compliance would be impossible. ExpressVPN will soon route customers' traffic outside India.

    On Tuesday, another VPN – Surfshark – announced it would do likewise.

    Continue reading
  • Makers of ad blockers and browser privacy extensions fear the end is near
    Overhaul of Chrome add-ons set for January, Google says it's for all our own good

    Special report Seven months from now, assuming all goes as planned, Google Chrome will drop support for its legacy extension platform, known as Manifest v2 (Mv2). This is significant if you use a browser extension to, for instance, filter out certain kinds of content and safeguard your privacy.

    Google's Chrome Web Store is supposed to stop accepting Mv2 extension submissions sometime this month. As of January 2023, Chrome will stop running extensions created using Mv2, with limited exceptions for enterprise versions of Chrome operating under corporate policy. And by June 2023, even enterprise versions of Chrome will prevent Mv2 extensions from running.

    The anticipated result will be fewer extensions and less innovation, according to several extension developers.

    Continue reading
  • CISA and friends raise alarm on critical flaws in industrial equipment, infrastructure
    Nearly 60 holes found affecting 'more than 30,000' machines worldwide

    Updated Fifty-six vulnerabilities – some deemed critical – have been found in industrial operational technology (OT) systems from ten global manufacturers including Honeywell, Ericsson, Motorola, and Siemens, putting more than 30,000 devices worldwide at risk, according to private security researchers. 

    Some of these vulnerabilities received CVSS severity scores as high as 9.8 out of 10. That is particularly bad, considering these devices are used in critical infrastructure across the oil and gas, chemical, nuclear, power generation and distribution, manufacturing, water treatment and distribution, mining and building and automation industries. 

    The most serious security flaws include remote code execution (RCE) and firmware vulnerabilities. If exploited, these holes could potentially allow miscreants to shut down electrical and water systems, disrupt the food supply, change the ratio of ingredients to result in toxic mixtures, and … OK, you get the idea.

    Continue reading
  • Inside the RSAC expo: Buzzword bingo and the bear in the room
    We mingle with the vendors so you don't have to

    RSA Conference Your humble vulture never liked conference expos – even before finding myself on the show floor during a global pandemic. Expo halls are a necessary evil that are predominatly visited to find gifts to bring home to the kids. 

    Do organizations really choose security vendors based on a booth? The whole expo hall idea seems like an outdated business model – for the vendors, anyway. Although the same argument could be made for conferences in general.

    For the most part, all of the executives and security researchers set up shop offsite – either in swanky hotels and shared office space (for the big-wigs) or at charming outdoor chess tables in Yerba Buena Gardens. Many of them said they avoided the expo altogether.

    Continue reading

Biting the hand that feeds IT © 1998–2022