Broadband Tech > Security > Security > Mozilla: Revoking Trust in Two TurkTrust Certificates

Mozilla: Revoking Trust in Two TurkTrust Certificates

quote:

---

Update: For clarification, the last sentence of this post references our actions to suspend inclusion of a TURKTRUST root certificate. There are currently two TURKTRUST root certificates included in Mozilla’s CA Certificate program. TURKTRUST had requested that a newer root certificate be included, and their request had been approved and was in Firefox 18 beta. However, due to the mis-issued intermediate certificates, we decided to suspend inclusion of their new root certificate for now.

Issue
TURKTRUST, a certificate authority in Mozilla’s root program, mis-issued two intermediate certificates to customers. TURKTRUST has scanned their certificate database and log files and confirmed that the mistake was made for only two certificates.

This is not a Firefox-specific issue. Nevertheless, we are concerned that at least one of the mis-issued intermediate certificates was used for man-in-the-middle (MITM) traffic management of domain names that the customer did not legitimately own or control. We are also concerned that the private keys for these certificates were not kept as secure as would be expected for intermediate certificates.

Impact
An intermediate certificate that is used for MITM allows the holder of the certificate to decrypt and monitor communication within their network between the user and any website. Additionally, If the private key to one of the mis-issued intermediate certificates was compromised, then an attacker could use it to create SSL certificates containing domain names or IP addresses that the certificate holder does not legitimately own or control. An attacker armed with a fraudulent SSL certificate and an ability to control their victim’s network could impersonate websites in a way that would be undetectable to most users. Such certificates could deceive users into trusting websites appearing to originate from the domain owners, but actually containing malicious content or software.

Status
Mozilla is actively revoking trust for the two mis-issued certificates which will be released to all supported versions of Firefox in the next update on Tuesday 8th January.

We have also suspended inclusion of the “TÜRKTRUST Bilgi İletişim ve Bilişim Güvenliği Hizmetleri A.Ş. (c) Aralık 2007” root certificate, pending further review.

Additional action regarding this CA will be discussed in the mozilla.dev.security.policy forum.

Credit
This issue was initially reported to us by Google, Inc.

Michael Coates
Director of Security Assurance

---

FYI Microsoft has already revoked the certificates.

»Microsoft untrusted certificate store update (Dec 31st)

»Microsoft Security Advisory Notification - Dec. 31, 2012

»Microsoft Security Advisory Notification - Jan 3, 2013
--
Don't feed trolls--it only makes them grow!

reply to chachazz

Fatal error leads TURKTRUST to issue dangerous SSL certificates ...A good article at Heise Security

reply to chachazz
I found this in my Event Viewer:

Successful auto update of disallowed certificate list with effective date: Monday, December 31, 2012 3:50:01 PM.

BUT, when I look in the Certificates in Pale Moon I see the two TurkTrust certificates listed there (I edited them by unchecking the three boxes). When I looked in IE, I see FIVE TurkTrust certificates (two Electronic Sertificat Hizmet and three Electronic Islena Hiza..)

Is the fact that they are listed, saying they are good cerificates, not important since they are disallowed? Is that something we don't visually see?

Thank you.

Sincerely, Libra

Mozilla Foundation Security Advisory 2013-20
»www.mozilla.org/security/announc···-20.html

reply to chachazz
Interesting... I just checked in my Opera 11.52 cert listing, and both:
*.EGO.GOV.TR
e-islem.kktcmerkezbankasi.org
are now listed as rejected certs. These are the two subsidiary CA's incorrectly created by TURKTRUST, at least one of which (*.EGO.GOV.TR) was used to issue a fraudulent cert to *.google.com - which triggered this whole business. Apparently, Opera must have pushed out a background update of the cert stores to reject the two certs, even for old Opera versions like mine. I only know I never performed such an update manually...

Edit: I just opened my Opera 10.63 version (which hasn't been activated for at least 6 months) and, following a brief period of visible network traffic indications whilst my local home page was in process of appearing, the cert stores on that version also now show both the above rejections. So Opera is indeed automatically pushing out these cert updates for all their browsers for this problem.
--
“The American Republic will endure until the day Congress discovers that it can bribe the public with the public's money.” A. de Tocqueville

reply to chachazz
I can't do anything with the first one in the list. Can't view, edit or delete/distrust, the buttons don't work. The second one I edited and unchecked the boxes. Should I assume the first one is disabled?

You're clicking on the title. Click on the line underneath (indented text)

(I did the exact same thing the first time)
--
Don't feed trolls--it only makes them grow!

LOL!!! Duh!!!!! It all looks like jibberish to me!!

Ok, I got that one edited. So that's all I have to do, right?

As long as you got both TurkTrust certs. The first is at the top as in the screen captures. The second is down in the T's.
--
Don't feed trolls--it only makes them grow!

Ok, thanks, got them both now.

Well you're good to go--until the next cert authority gets hacked etc
--
Don't feed trolls--it only makes them grow!

reply to chachazz
Who here is amused that Microsoft addressed this before Mozilla?

Actually I find it more amusing that Microsoft had some of their certificates faked/stolen

»Microsoft kills code-signing certs stop Flame-like attacks
--
Don't feed trolls--it only makes them grow!

quote:

---

Thursday, January 03, 2013
Notes on the TURKTRUST fiasco
Posted by Robert David Graham

Yet again a Certificate Authority failed, allowing a hacker or government to spy on SSL connections. I thought I'd write up some notes. I'll likely update this post over the next couple days as more info becomes available.

The most important thing to remember is there is no evidence of maliciousness. The CA fail appears to have been accidental. More importantly, the MitM may also have been accidental. This incident will be used by those beating the "state sponsored hacking" drum, so I thought I'd point out that as of today (Jan 3 2013) no evidence exists to support that conclusion.

---