[SSL Observatory] Turktrust erroneously issued sub-CA certificates
Bernhard Amann
bernhard at ICSI.Berkeley.EDU
Fri Jan 4 14:00:13 PST 2013
On Jan 3, 2013, at 7:57 PM, Andy Isaacson <adi at hexapodia.org> wrote:
> On Thu, Jan 03, 2013 at 10:13:54AM -0800, Andy Isaacson wrote:
>> http://googleonlinesecurity.blogspot.com/2013/01/enhancing-digital-certificate-security.html
>>
>> TURKTRUST told us that based on our information, they discovered
>> that in August 2011 they had mistakenly issued two intermediate CA
>> certificates to organizations that should have instead received
>> regular SSL certificates.
>
> Microsoft's announcement provides the names of the two certificates.
>
> http://blogs.technet.com/b/msrc/archive/2013/01/03/security-advisory-2798897-released-certificate-trust-list-updated.aspx
>
> TURKTRUST Inc. incorrectly created two subsidiary Certificate
> Authorities: (*.EGO.GOV.TR and e-islam.kktcmerkezbankasi.org). The
> *.EGO.GOV.TR subsidiary CA was then used to issue a fraudulent
> digital certificate to *.google.com.
I just looked through our notary data - and we have not seen either of
the intermediate certificates in any of the connections we monitor. That
(probably) means that the certificates were not widely used to MITM
connections.
For people that do not know about our notary:
We are currently passively monitoring the SSL connections of about 300k
users at about 10 different mostly educational networks. Most (but not all)
of them are in the US. Data collection has started in February. More
details are available at http://notary.icsi.berkeley.edu.
Bernhard
More information about the Observatory
mailing list