In short, because an valid (but fraudulent) certificate was issued for google wildcard domains from a root certificate authority, several browser code developers will remove the certificate authority DigiNotar as a trusted root certificate authority. For Internet Explorer, Microsoft will issue an update through their security certificate store. Firefox will actually require a new version be issued for users to install. Or alternatively, customers can update the certificate store for Firefox by performing the following actions:
Firefox users who want to disable the browser’s trust of the DigiNotar root immediately can do so by clicking on Options, then Advanced, then Encryption and then selecting the View Certificates option. Then scroll down to the DigiNotar root CA, click on it and then click on Delete or Distrust.
Update: Firefox version 6.0.1 was released during the afternoon of August 31.
http://threatpost.com/en_us/blogs/attackers-obtain-valid-cert-google-domains-mozilla-moves-revoke-it-082911
August 29, 2011, 7:31PM
Attackers Obtain Valid Cert for Google Domains, Mozilla Moves to Revoke It
UPDATE: A certificate authority in the Netherlands issued a valid SSL wildcard certificate for Google to a third party in July, leading to concerns that attackers may have been using the certificate to route sensitive traffic through their own servers, capturing it and compromising user data in the process. The certificate was revoked by the CA, DigiNotar, after the problem came to light Monday and Mozilla and Microsoft both have removed DigiNotar from their lists of trusted root CAs.
The attack appears to have been targeting Gmail users specifically. Some users trying to reach the Gmail servers over HTTPS found that their traffic was being rerouted through servers that shouldn’t have been part of the equation. On Monday afternoon, security researcher Moxie Marlinspike checked the signatures on the certificate for the suspicious server, which had been posted to Pastebin and elsewhere on the Web, and found that the certificate was in fact valid. The attack is especially problematic because the certificate is a wildcard cert, meaning it is valid for any of Google’s domains that use SSL.
It’s not clear who DigiNotar issued the certificate to at this point.
Security and privacy experts began discussing the problem Monday, after some people in Iran began posting messages to Twitter and elsewhere about the possibility of a man-in-the-middle attack by the country’s government, using the certificate. The certificate was issued on July 10, and Mozilla said on Monday that it is planning to issue immediate updates to many of its products, including Firefox, Thunderbird and others, to remove the DigiNotar root CA.
“Users on a compromised network could be directed to sites using a fraudulent certificate and mistake them for the legitimate sites. This could deceive them into revealing personal information such as usernames and passwords. It may also deceive users into downloading malware if they believe it’s coming from a trusted site. We have received reports of these certificates being used in the wild,” Mozilla security officials said in a blog post.
“Because the extent of the mis-issuance is not clear, we are releasing new versions of Firefox for desktop (3.6.21, 6.0.1, 7, 8, and 9) and mobile (6.0.1, 7, 8, and 9), Thunderbird (3.1.13, and 6.0.1) and SeaMonkey (2.3.2) shortly that will revoke trust in the DigiNotar root and protect users from this attack.”
Microsoft issued an advisory late Monday, as well, saying that it has removed DigiNotar’s root certificate from the Microsoft Certificate Trust List.
“As a precautionary measure, Microsoft has removed the DigiNotar root certificate from the Microsoft Certificate Trust List.
All supported editions of Windows Vista, Windows 7, Windows Server 2008, and Windows Server 2008 R2 use the Microsoft Certificate Trust List to validate the trust of a certification authority. Users of these operating systems will be presented with an invalid certificate error when they browse to a Web site or try to install programs signed by the DigiNotar root certificate. In those cases users should follow the instructions in the message. Microsoft will release a future update to address this issue for all supported editions of Windows XP and Windows Server 2003,” the Microsoft advisory said.
The problem with the fraudulent *.google.com certificate is quite similar to the results of the attack on Comodo earlier this year in which the attackers were able to compromise one of the company’s European registration authorities and issue valid SSL certs for Gmail, Yahoo, Skype and several other high-value sites.
Firefox users who want to disable the browser’s trust of the DigiNotar root immediately can do so by clicking on Options, then Advanced, then Encryption and then selecting the View Certificates option. Then scroll down to the DigiNotar root CA, click on it and then click on Delete or Distrust.
Announcement from DIR
MULTI STATE INFORMATION SHARING AND ANALYSIS CENTER INFORMATION BULLETIN
DATE ISSUED: August 30, 2011
SUBJECT: Fraudulent Digital Certificate Could Allow Spoofing
Digital certificates are electronic files, issued by organizations known as Certificate Authorities, that enable secure electronic communication between entities on the Internet. Recently, it was discovered that on July 10, 2011, the Dutch Certificate Authority DigiNotar issued a fraudulent certificate. The fraudulent web certificate affects all subdomains of google.com including mail.google.com.
An attacker could potentially use this certificate to perform man-in-the-middle attacks, spoof content, or perform phishing attacks. DigiNotar has revoked the certificate and has added it to their current Certificate Revocation List (CRL). On August 29th, Mozilla and Microsoft announced that they will be releasing updates that will protect users against this fraudulent certificate. Google Chrome browser users were not impacted by the fraudulent certificate due to various browser security checks that were already in place.
As an additional layer of protection, some versions of web browsers can validate a certificate’s identity by using the Online Certificate Status Protocol (OCSP). OCSP provides web browsers with up-to-date information related to the validity of a digital certificate by connecting to an OCSP responder that is hosted by the Certificate Authority issuing the certificates. OCSP is enabled by default in Internet Explorer 7 and Firefox 3 as well as in later versions of these web browsers.
Recommendations:
We recommend the following:
• Apply the updates that will be provided by Microsoft and other browser vendors, where applicable, to vulnerable systems immediately after appropriate testing.
• Remind users not to follow links contained in emails received from unknown users or suspicious e-mails from trusted sources.
• Run all systems and software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
• Inform users to contact their IT security department if invalid certificate errors are received on any of the aforementioned Internet browsers.
References:
Microsoft
http://www.microsoft.com/technet/security/advisory/2607712.mspx
Mozilla
http://blog.mozilla.com/security/2011/08/29/fraudulent-google-com-certificate
Google
http://googleonlinesecurity.blogspot.com/2011/08/update-on-attempted-man-in-middle.html
Pastebin
http://pastebin.com/ff7Yg663
Update regarding removal of digital certificates from Mac OS X operating system.
Information has been recently provided that indicates the Mac OS X operating system does not correctly mark sites as untrustworthy if a fraudulent digital certificate is removed by the user. It appears this condition is only experienced with the EV or Extended Validation certificates.
Additional information on this condition is available from the following URL: