Fatal error leads TURKTRUST to issue dangerous SSL certificates
TURKTRUST logo The Turkish certificate publisher TURKTRUST has made what could be a fatal mistake, issuing two SSL intermediary certificates that could be used to issue certificates for arbitrary domains. With one of the intermediary or SubCA certificates, an SSL certificate was not only issued for *.google.com, but also put into use. According to TURKTRUST the incident is the result of a chain of unfortunate circumstances and there is no evidence of abuse at the company.
Google discovered the issue on Christmas Eve, thanks to its certificate pinning mechanisms in Chrome which detected the unauthorised certificate for the domain. Google analysed the certificate and found that it was apparently issued by an intermediate certificate authority with the full authority of the TURKTRUST certificate authority; it then alerted TURKTRUST and other browser vendors.
According to the Microsoft Advisory, the two certificates were issued to *.EGO.GOV.TR and e-islem.kktcmerkezbankasi.org. It was the *.EGO.GOV.TR domain which went on to be used to issue the wildcard certificate for the Google domain.
According to Microsoft's advisory, the SubCAs were created by a root certificate called "TURKTRUST Elektronik Sunucu Sertifikasi Hizmetleri". Mozilla said in its security blog that it was also going to remove a certificate for "TÜRKTRUST Bilgi İletişim ve Bilişim Güvenliği Hizmetleri A.Ş. (c) Aralık 2007", a newer root certificate which was due to be included in a future Firefox, but had so far only been included in Firefox 18 beta.
Mozilla will be adding the two SubCA certificates to its certificate blacklist during its next update, which is due on 8 January.