by Leigh Goessl

Created on: January 06, 2013

Google has discovered that two unauthorized certificates were issued for its Google.com domain. The first fraudulent certificate was found on Christmas Eve and steps were taken to close any potential security holes, according to PC World.

The second certificate was discovered as an investigation into the first fraudulent digital certificate found.

A digital certificate is an electronic document that has been independently verified that a user or entity is who they say they are and serves as an electronic signature.

In a blog post, Google explained what occurred. An intermediate certificate authority company named TURKTRUST, a Turkish company, had mistakenly issued two certificates. When Google made the initial discovery on Dec. 24, it immediately contacted TURKTRUST, and through an internal investigation by that company, it was realized two certificates were erroneously issued and connected to Google's domain back in August 2011.

"Intermediate CA certificates carry the full authority of the CA, so anyone who has one can use it to create a certificate for any website they wish to impersonate," Google said in its blog post. "Our actions addressed the immediate problem for our users. Given the severity of the situation, we will update Chrome again in January to no longer indicate Extended Validation status for certificates issued by TURKTRUST, though connections to TURKTRUST-validated HTTPS servers may continue to be allowed."

Browser vendors were immediately notified by Google so developers could create blocks to the unauthorized certificates. Makers of three popular browsers, Chrome (Google), Internet Explorer (Microsoft) and Firefox (Mozilla) have all revoked the imitation certificates.

According to Krebs On Security, Microsoft issued a warning with more detail, indicating one of the two fraudulent certificates was being used in active attacks. The breadth of the attack is not known at this time if the attacks were against Turkish residents or if it was extensive.

“This fraudulent certificate could be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks. This issue affects all supported releases of Microsoft Windows,” Microsoft said in a Jan. 3 post.

"Mozilla is actively revoking trust for the two mis-issued certificates which will be released to all supported versions of Firefox in the next update on Tuesday 8th January," Mozilla wrote in a blog post.

If one with criminal intentions has in possession a certificate such as the ones found, falsified websites can be created, which can lead to widespread exploits affecting numerous Web users.

Google has indicated the company may determine additional action needs to be taken after more discussion and examination of this breach of security incident takes place.

Learn more about this author, Leigh Goessl.
Click here to send this author comments or questions.