The loophole involved
an exploit of ID credentials that browsers use to ensure a website is who it
claims to be. By using fake credentials, criminals could have created a website
that purported to be part of the Google+ social media network. The fake ID
credentials have been traced back to Turkish security firm Turk Trust which
mistakenly issued them. Turk Trust said there was no evidence the data had been
used for dishonest purposes
SECURE
CODE
An investigation by Turk
Trust revealed that in August 2011 it twice accidentally issued the wrong type
of security credential, a form of identification known as an intermediate certificate.
Instead of issuing low level certificates it mistakenly gave out what amounted
to "master keys" which could have allowed a bogus site to pretend it
was the legitimate version without triggering a warning."An intermediate
certificate is essentially a master key that can create certificates for any
domain name," explained security analyst Chester Wisniewski from Sophos in
a blogpost about the security lapse."These certificates could be used to
impersonate any website to any browser without the end user being alerted that
anything is wrong."The certificates are important, he said, because secure
use of web shops and other services revolve around interaction between the
"master keys" and the lower level security credentials. The lapse was
spotted when automatic checks built into Google's Chrome browser noticed
someone was using the program with an unauthorized certificate for the
"*.google.com" domain. Had this not been detected the person could
have gone onto to impersonate Google+, Gmail and other services run by the US
firm. The danger would have been that they could then have staged a man-in-the
middle attack. This would have involved them relaying targeted users'
communications to the real Google services and passing on the responses. By
doing this they could have eavesdropped on potentially sensitive messages.
Google said it alerted other browser-makers to the threat after its discovery.
Microsoft and Firefox developer Mozilla subsequently issued updates which
revoke the two wrongly issued intermediate certificates. The identity of the
person using the unauthorized certificate has not been reported, and their
intentions are unknown. This is not the first time that websites and browser
makers have had a problem with security certificates. Fake certificates have
been issued before now by several other firms and exposed confidential data
including login names and passwords."It is really time we move on from
this 20-year-old, poorly implemented system," wrote Mr. Wisniewski.
"It doesn't need to be perfect to beat what we have."
source:bbc.co.uk
0 comments:
Post a Comment