Falsely issued Google SSL certificate in the wild for more than 5 weeks

Close-up of a lock icon on a computer keyboard button.  Blue-toned.

Update: Mozilla have announced out of an abundance of caution that they are releasing new versions of Firefox, Firefox Mobile and Thunderbird to revoke the trust of DigiNotar’s root certificate for signing certificates.

I presume this is because DigiNotar has not explained how the Google certificate was signed and to prevent further abuse. This could cause issues for websites who have purchased certificates from DigiNotar.

It remains to be seen whether other browsers will follow in Mozilla’s foot steps, but it may be prudent to remove DigiNotar from your trusted certificates until there is further clarification.

Update 2: Google is following Mozilla’s lead by marking DigiNotar untrusted in the next release of the Chrome OS (Chromium).

Original post: Reports surfaced this morning that accuse the government of Iran with trying to perform a man-in-the-middle attack against Google’s SSL services.

Padlock keyA user named alibo on the Gmail forums posted a thread about receiving a certificate warning about a revoked SSL certificate for SSL-based Google services.

The certificate in question was issued on July 10th by Dutch SSL certificate authority DigiNotar. DigiNotar revoked the certificate today at 16:59:03 GMT, but many browsers do not check for revoked certificates by default.

Rogue Google certificateThe certificate was valid for *.google.com and raises serious questions about who the certificate was issued to, and how it was signed.

Was DigiNotar compromised? Were the perpetrators able to acquire the CA’s certificate and sign their own bogus certificate? Or was DigiNotar tricked into signing the certificate for someone pretending to be Google?

The answer to that question is nearly irrelevant as it is simply more evidence that the current CA infrastructure that we have decided to “trust” is totally untrustworthy. It doesn’t matter how this happened, it has happened before and unfortunately will happen again.

I recently wrote about Moxie Marlinspike’s new project Convergence, which proposes to eliminate the use of certificate authorities and replace the idea with a system of notaries and proxies. I am a big fan of Moxie’s project and if you are a Firefox user you may wish to give it a try.

The evidence that Iran was using this certificate to spy on its citizens is circumstantial at best.

We don’t know whether this was government initiated or just another random individual like the last Comodo certificate hack.

No httpsEither way, placing trust in more than 600 certificate authorities to be honest and not screw up is quite a leap of faith. Be sure to enable certificate revocation checks in your browsers and take a close look at alternatives like Convergence.