There has been a string of reported incidents wherein governments or hackers abused the loose rules managing standard security for sensitive and financial sites, those with URLs starting with Https.
The Turkish agency known as EGO is involved in the latest hacking incident. The agency has reportedly managed to get the capacity to validate pages on the Web from a supposedly reliable Internet authority called TurkTrust. This Internet authority is one of the few hundreds of organizations around the world considered to be reliable by major Internet browsers, said a Microsoft Corp blog.
Google said that EGO obtained an improper authority last month to allow it to tell visitors to Google.com sites that they’re visiting a secure sites, when in fact, they had not. The deception was discovered after Google Chrome browser reported it. Unlike any other browsers, Google Chrome will let the user know and Google itself, if an unauthorized certificate is authenticating a Google site.
Following the incident, Google contacted TurkTrust, which reasoned that two organizations were “mistakenly” granted permission to authenticate any site in August 2011. Google issued a warning to other browser makers like Mozilla and Microsoft. Mozilla Firefox, Microsoft Internet Explorer, and Google Chrome will now block sites being authenticated by another TurkTrust customer and EGO.
While only Google and some of its secure sites were faked, it is possible that many other sites could have been faked as well without letting other companies know about it. The Turkish government did not release any statement when Reuters contacted the Turkish embassy in Washington, and the two consulates in Los Angeles and New York.
No complete story was provided by the technology companies, though one person familiar with the case mentioned that a faked Google.com site had been shown on one internal network.
Chris Soghoian, a former official working for Federal Trade Commission and now a tech expert associated with the American Civil Liberties union, said that the most obvious reason for the agency was possibly to monitor web activities of its employees.
The most probable goal of the deception was to intercept traffic, though validation authority is not enough to do it. An authenticator also needs to come into contact with the user of the Web to get desired results.
In 2011, a similar incident happened when a Dutch certificate authority called DigiNotar revealed that its system had been compromised and that certificates were stolen. It was later discovered by Google that a fake certificate for its site was found operating in Iran. Google then issued a warning to Gmail users in the country to change their passwords.
Chris Soghoian and other technology experts had been saying for years now that the supposedly secure Https system is not that secure, but the industry had been slow to adapt.
Certificate authorities can always resell the right to authenticate without disclosing who their customers are.
“The entire Web relies on every single certificate authority being honest and secure,” said Soghoian. “It’s a ticking time bomb.”