Digital certificates issued by an authority in Turkey are being used for "man in the middle" attacks on Google properties, according to warnings issued by both Microsoft and Google.
The security flaw was traced to a fraudulent digital certificate wrongly issued by intermediate certificate authority Turktrust. "Intermediate CA [certificate authority] certificates carry the full authority of the CA, so anyone who has one can use it to create a certificate for any website they wish to impersonate," wrote Google software engineer Adam Langley on the company's security blog.
Google updated the revocation metadata in its Chrome web browser on Christmas day in response. However, according to Langley, the insecure certificate is one of two that may have been in circulation since August 2011.
He added: "Turktrust told us that based on our information, they discovered that, in August 2011, they had mistakenly issued two intermediate CA certificates to organisations that should have instead received regular SSL certificates. On December 26, we pushed another Chrome metadata update to block the second mistaken CA certificate and informed the other browser vendors."
In its advisory, Microsoft claimed that there is evidence of the two certificates being used in attempted attacks. "This fraudulent certificate could be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks," it said.
It isn't the first time that a lackadaisical trust-issuing authority has been compromised. In 2011, another, a Netherlands-based authority called DigiNotar CA, was found to be so completely compromised that the attacker reportedly enjoyed control over all eight of the servers used by the company to issue certificates.
All DigiNotar certificates were blacklisted by Microsoft, Google, Mozilla, Opera and Apple, and the company subsequently went bust.