Last week, the week before, and the week before that, I explained how the cryptographic side of digital certificates and secure web site identity works, and how there have been some continuing problems with what many see as misbehavior by root CAs. We introduce the technical side in in Learning Tree’s System and Network Security Introduction course, and depending on interest in the group that week, sometimes go a little deeper. Here is even deeper background.
Türktrust Bilgi İletişim ve Bilişim Güvenliği Hizmetleri A.Ş. is a root CA based in Turkey. Back in August of 2011 they issued a certificate to EGO Genel Müdürlüğü, the transportation directorate of the city government of Ankara.
That certificate and key were installed in a Checkpoint firewall which had reverse proxy capabilities allowing it to decrypt and inspect TLS/SSL traffic. The Checkpoint firewall automatically created one or more new certificates which, to put an alarming name on it, could do man-in-the-middle attacks against HTTPS connections made through it.
Again, a Chrome browser used inside the city transportation ministry noticed a ticket that appeared to be valid for all of *.google.com (thus Gmail, Google Docs, Google Apps, Google Drive, etc) but wasn’t really a Google certificate.
If you prefer your news more alarming and conspiracy-rich, a Reuters report of 3 Jan said this was likely done by the public transit agency EGO in order to spy on its own employees’ use of Gmail and Google searches.
Cooler heads prevailed, Türktrust investigated and reported in a convincingly open fashion, and while all the browsers quickly came to block sites using certificates created by the spurious sub-CA certificates issued to EGO and a Turkish banking firm, Türktrust itself continued to be trusted as a root CA and its other customers suffered no impact.
That’s a problem with the complex web of trust relationships on the Internet-wide public-key infrastructure, innocent parties could suffer a sudden loss of trust (or at least a loss of the ability to support HTTPS connections) because of the browser community’s decision about the root CA from which they purchased their certificate.
This also brings up the issue of incident response. Yes, Türktrust made errors and then didn’t notice them for almost a year and a half. But then Google reported the problem, Türktrust responded in a way that built, rather than further degraded, confidence.
That can make the difference in corporate survival, as I’ll explain next week.