Certificate authority DigiNotar today confirmed the fake security credential used to carry out man in the middle (MITM) attacks targeting Gmail users was obtained during a hack.
An Iranian Gmail user claimed to have found evidence of a fake SSL certificate for Google services. Such fake certificates can be used to intercept end user web interactions with an MITM attack or set up spoof websites to steal people's data.
There may well be other certificates like this out there that we don't know about. That means almost all internet users are still vulnerable to this sort of attack.
The fake credentials were authorised by DigiNotar after the company's Certificate Authority (CA) infrastructure was hacked. The firm thought it had removed all of the fraudulent certificates from the internet, but it has now become apparent not all were taken offline.
"The company will take every possible precaution to secure its SSL and EVSSL certificate offering, including temporarily suspending the sale of its SSL and EVSSL certificate offerings," a message from DigiNotar's parent company Vasco Data Security International.
"The company will only restart its SSL and EVSSL certificate activities after thorough additional security audits by third party organisations."
DigiNotar warned it was not just Google.com which was affected.
Concerns over timing have been raised as well. DigiStor said it became aware of an intrusion on 19 July, yet the fake certificate for the Google service was issued on 10 July. This means the fraudulent certificate has been in the wild for some time.
The incident was only highlighted by a user going by the name of Alibo, who, thanks to a new feature in Google Chrome, was made aware of the fake certificate via a warning. Alibo claimed the attack was carried out by either his ISP or the Iranian Government, but there is no solid evidence of this.
Certificates are supposed to act as a guarantee that the information a user is accessing and sending is only viewed by safe, recognised parties. This case has again highlighted flaws in the CA system, which relies on the trust of such security credentials and the competency of certificate authorities, of which there are around 600.
Earlier this year, certificate authority Comodo was hacked and credentials for sites including login.live.com, mail.google.com, www.google.com, login.skype.com and login.yahoo.com were issued.
Digital rights campaigner the Electronic Frontier Foundation (EFF) said this was the first time a fake certificate has successfully been used in the wild, making it especially concerning.
"The certificate authority system was created decades ago in an era when the biggest online security concern was thought to be protecting users from having their credit card numbers intercepted by petty criminals," the EFF said.
"Today internet users rely on this system to protect their privacy against nation states. We doubt it can bear this burden."
Google, Microsoft and Mozilla have all removed DigiStor from their trusted certificate authority lists. This means websites using certificates from DigiStor will not be accessible via Chrome, Mozilla or from any browser running on Windows Vista and above.
Despite the actions of the big vendors, there are still big concerns over the implications of this particular security event.
"The good news is that the computer security community is now taking this threat very seriously. Unfortunately, the bad news is spectacularly bad: users in Iran (or on any network where an eavesdropper had the key to this certificate) may have been vulnerable for two months," the EFF added.
"What's more, there are hundreds of certificate authorities in dozens of jurisdictions, and several have been tricked into issuing false certificates. So there may well be other certificates like this out there that we don't know about. That means almost all internet users are still vulnerable to this sort of attack."
-
Westcon-Comstor and Vectra AI launch brace of new channel initiativesNews Westcon-Comstor and Vectra AI have announced the launch of two new channel growth initiatives focused on the managed security service provider (MSSP) space and AWS Marketplace.
-
Third time lucky? Microsoft finally begins roll-out of controversial Recall featureNews The Windows Recall feature has been plagued by setbacks and backlash from security professionals
-
Google Workspace is getting a Gemini makeover – but prices are going to increaseNews The new pricing structure may help Google boost competition with Microsoft
-
Google confirms Gmail is “here to stay” amid speculation over plans to scrap the email serviceNews Claims that Google plans to sunset Gmail were a hoax, so there's no need to panic
-
Google Workspace Review: A simple aesthetic with productivity in mindReviews From free to enterprise, Google’s ever-popular productivity suite has a range of tiers and functions for all sizes of business
-
CloudHQ fully integrates Gmail with Google SheetsNews Users can bulk export email text to Google Sheets, Excel, or CSV files
-
Gmail for G Suite becomes a hub for corporate communicationsNews Everything you need is now on one page, but it may get overwhelming
-
How to share your Google CalendarTutorials Follow these easy steps to share your Google Calendar with family, friends or team members
-
Gmail introduces new features to makes personalizing your inbox easierNews G Suite customers will see the Quick Setting feature starting June 2020
-
How to delete a Gmail account
In-depth Our step-by-step guide on how to close your Google email account for good
