Friday, 4 January 2013

Google+ exploit could be bad news for Iran and Syria internet users

Web browser makers have rushed to fix a security lapse that cyber thieves abused to impersonate Google+. Chrome has been updated, Firefox will be updated 8 January 2013, and Internet Explorer has issued an update which will be applied automatically for users of Windows 8/RT/Server 2012. Anyone using older versions of Windows will need to use Windows Update. As usual, Apple has not commented on when or if they will take action to protect Safari and iOS users.
By using the fake credentials, criminals created a website that purported to be part of the Google+ social media network. The loophole exploited ID credentials that browsers use to ensure a website is who it claims to be. So someone was attempting to perform a man-in-the-middle attack against this user’s secure communications intended for Google, but there is no information about who that is or where they are based.
The fake ID credentials have been traced back to August 2011, when Turkish Certificate Authority (CA) TurkTrust which mistakenly issued two “master keys” or higher level certificates used to certify website validity. The issue was not discovered by Google until late on 24 December 2012. Google issued two updates on 25 and 26 December and alerted other browser vendors.
You may recall that August 2011 saw a report from Google about man in the middle attacks linked to the DigiNotar CA which they said mainly affected users in Iran.
Google’s post notes that Google “may also decide to take additional action after further discussion and careful consideration,” which hints that the Chrome team are considering the exclusion of  TurkTrust’s root certificates. Mozilla will temporarily revoke  it from 8 January when the patch is released. However, if this CA is removed, it could force many sites in countries like Syria and Iran to use national, not-trusted and completely compromised CA’s like ParsSign.

via @lissnup