An intermediate digital certificate for *.google.com domains has been blocked by Google, Mozilla and Microsoft after a Turkish certificate authority (CA) incorrectly provided it to two other Turkish organizations who are not authorized for the privileges that certificate affords.
On Christmas, Google discovered that a CA called TURKTRUST was responsible for putting the certificate in the wrong hands.
"In response, we updated Chrome’s certificate revocation metadata on December 25 to block that intermediate CA," Google software engineer Adam Langley wrote on the company's Security Blog. "TURKTRUST told us that based on our information, they discovered that in August 2011 they had mistakenly issued two intermediate CA certificates."
Intermediate certificates grant issuing power to whomever has it, Kaspersky's Threatpost blog reported. This mistake puts virtually everyone that uses the Internet at risk for fraud, data loss or identity theft.
It's not known if the unauthorized certificates were used to carry out any attacks; however, an attacker with the certificate in hand could pretend to be any domain, gain victims' trust, infect their machine with malicious code, collect identifiable information or steal banking logins — the horrific possibilities are pretty much endless.
In August 2011, Google advised Iranian users of Gmail to change their passwords after an Iranian hacker stole a Google authentication certificate from a Dutch certificate authority.
In addition to the recent software updates, Google said it will update Chrome again this month in order to block the extended validation status of any certificates issued by TURKTRUST.