A week after the disclosure of the existence of a fraudulent certificate for Google domains that resulted from the mistaken issuance of a subordinate certificate by a Turkish certificate authority, officials at TURKTRUST are continuing to defend their actions in response to the incident, and say that there is “no evidence of any attack or hacking attempt on our system”.
The TURKTRUST incident came to light last week after Google officials said that Chrome had identified the fraudulent Google certificate and, after investigating the source of it, found that it was generated by a subordinate certificate that TURKTRUST had issued to an agency related to the government of Turkey’s capital city, Ankara. Initial concerns in the security community were that the TURKTRUST system had been compromised, either through an external attack or the actions of a malicious insider.
However, TURKTRUST officials quickly came out publicly, saying that the company in 2011 had mistakenly issued two subordinate certificates–one to a bank and the other to the government-affiliated agency. The first certificate was revoked quickly at the request of the customer and the other one was installed on a Web server as part of a webmail deployment. It was used as a normal SSL certificate for some time until early December when it was exported to to a firewall and later was used to generate a certificate for *.google.com.
That firewall was later configured to intercept and inspect SSL traffic, which raised a lot of concerns about who was on the other side of that firewall and what their intentions were. However, TURKTRUST officials said there was no malicious intent in the issuance of the two subordinate certificates.
“Before ‘ETSI TS 102 042 CA Management System Standard’ certification took place, our systems were subject to upgrades and improvements between May-November 2011. In the course of this process, two faulty SSL certificates in the same production package were issued due to a defective data migration and software upgrade process. Upon the notification of the Internet browsers on December 26, 2012, one of the faulty certificates, that had been valid by then, was immediately revoked. All our systems were explored in depth and the root cause of the problem was identified. The data revealed that the instance was unique, and restricted only to this case. There is also no evidence of any attack or hacking attempt on our systems, as well as no implication of any malicious usage,” TURKTRUST officials said in a statement.
The question of what happened with the certificates after they were issued by TURKTRUST is a thornier one. Company officials said that representatives from EGO, the company that got the subordinate CA and later generated the Google certificate, told them that they initially tried to use the CA on the firewall, but it kept producing warnings on internal client machines. So the company then changed tactics.
“They had first tried to use the internal CA on the firewall. The internal clients (obviously) had given trust warning, so they had decided to export the trusted cert on the web mail server. They should, of course, have chosen to install trust for the internal CA into their clients in the domain,” TURKTRUST officials wrote in a discussion of the incident on Google Groups.
Company officials also said it is not their place to speculate on the intentions of the people at EGO who had the powerful subordinate certificate, but that there was nothing other than a mistake on the part of TURKTRUST personnel.
“We would like to emphasize once more that there is no malevolence, fraud or any other crime factor as well as an attack to our systems within the case. TURKTRUST will continue to manage the case openly and transparently with responsibility not only to Turkish public but also to all internet users,” the company said in a statement from Jan. 5.
