CA Hacked – Attackers Enabled Themselves to Impersonate Google.com

Published On August 30, 2011 | By Randy Sabett | Data Security, General, International
TwitterLinkedInFacebookRedditCopy LinkEmailPrint

A Dutch certification authority (CA) name Diginotar has been hacked and the attackers issued themselves at least one  rogue certificate in the name *.google.com.  As a result, the attackers can impersonate google.com on the web, and thereby seamlessly eavesdrop upon communications between computers that otherwise appear encrypted and secure.  At least two entities allegedly carried out this attack – first, a group known as Black.Spook and second, the Iranian government.

So how would one conduct a rogue certificate attack?  Well, a CA processes and vets a certificate request, and if the request appears legitimate, issues a digital certificate that ostensibly confirms that users can trust the certificate holder’s identity.  If a masquerader can convince the CA that it is a legitimate entity, the CA might erroneously issue a rogue certificate. Your next question might be:  OK, so why would anyone want a rogue certificate?  Having a rogue certificate allows the holder to impersonate the entity named in that digital certificate.  That means computers connecting to the systems of a rogue certificate holder will appear to be connecting to a legitimate domain, and the user’s browser will show a trusted, encrypted connection to the desired entity. In this case, the only entities that would be able to utilize a rogue *.google.com certificate would be ones that could reroute legitimate traffic intended for google.com through their own servers.  That generally means either a rogue ISP or a government.  With a rogue certificate such as *.google.com, for example, a government could conduct a number of different activities, including transparently monitoring the otherwise encrypted activities of its citizens.

In an announcement on the VASCO website (parent company of Diginotar) dated August 30, 2011, VASCO stated that the breach dated back to July 19, 2011 and that it “resulted in the fraudulent issuance of public key certificate requests for a number of domains, including Google.com.”  Stating that it “acted in accordance with all relevant rules and procedures,” the announcement goes on to explain that all rogue certificates were revoked.

This incident, combined with other recent attacks on companies that provide authentication technologies or services, indicate the increasing importance of authentication in our networked infrastructure.  As more systems incorporate such mechanisms, attacks will increase as well, whether through social engineering or technology.  Although specific details of the Diginotar incident have not yet been released, anyone working with certificate or credential-based technologies should be particularly aware of the possibility of these kinds of attacks and how to avoid them.

About The Author

Randy V. Sabett joined ZwillGen as Counsel in 2011. He advises clients on information security, privacy, IT licensing, and intellectual property. Randy has over 20 years of infosec experience, including as an NSA crypto engineer and a CISSP. He works closely with companies in helping them develop strategies to protect and exploit their information and IP based on various evolving business models, including SaaS, mobile applications, cloud, and more traditional client/server architectures. Specific areas on which he focuses include information security, privacy, IT licensing, IP strategy, big data, metrics, active defense, venture capital, legislative matters, government contracting, digital and electronic signatures, federated identity, state and federal information security and privacy laws, identity theft, and data breaches. He also drafts and negotiates a variety of technology transaction agreements.

Leave a Reply

Your email address will not be published. Required fields are marked *