We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
78,721 News Articles

Google finds unauthorized certificate for google.com domain, scrambles to protect users

The company updated its Chrome browser and notified other browser makers about the problem

Google has taken steps to close potential security holes created by a fraudulent certificate for its google.com domain, discovered in late December.

The certificate was erroneously issued by an intermediate certificate authority (CA) linking back to TurkTrust, a Turkish CA.

"Intermediate CA certificates carry the full authority of the CA, so anyone who has one can use it to create a certificate for any website they wish to impersonate," wrote Adam Langley, a Google software engineer, in a blog post Thursday.

Google detected the existence of the certificate on Christmas Eve, updated its Chrome browser the next day to block the intermediate CA and notified TurkTrust and other browser makers about the problem.

TurkTrust then conducted its own investigation and found out that in August 2011 it had mistakenly issued two intermediate CA certificates to organizations that should have instead received regular SSL certificates, according to Langley.

Google then updated Chrome again to block the second CA certificate and again notified other browser vendors.

"Our actions addressed the immediate problem for our users. Given the severity of the situation, we will update Chrome again in January to no longer indicate Extended Validation status for certificates issued by TurkTrust, though connections to TurkTrust-validated HTTPS servers may continue to be allowed," Langley wrote.

Google may take additional steps in reaction to this issue, he added.

A Google spokesman said via e-mail that although TurkTrust mistakenly issued two intermediate certificates, only one was used to generate an unauthorized certificate.

"We believe there was one case of the certificate being used internally on a company's network," the spokesman said.

Juan Carlos Perez covers enterprise communication/collaboration suites, operating systems, browsers and general technology breaking news for The IDG News Service. Follow Juan on Twitter at @JuanCPerezIDG.


IDG UK Sites

LG G Watch review: Android Wear smartwatch is the best around, so far

IDG UK Sites

How to join Apple's OS X Beta Seed Program: Get OS X Yosemite on your Mac before public release

IDG UK Sites

Why the BBC iPlayer outage was caused by a DDoS attack: Topsy and Tim isn't *that* popular

IDG UK Sites

See Glasgow 2014 in UHD as history is made