Google has detected an unauthorised digital certificate, which has been issued in its name and could have allowed impersonation of its social media network, Google+.
According to the search major, the loophole, which has been blocked by the firm, involved an exploit of ID credentials, which are used by browsers to assure a website is who it claims to be, while the usage of fake credentials could have led to creation of a website that was supposed to be part of the Google+.
Turktrust, a root certificate authority in Turkey which issues intermediate certificates, siad it had been issued by mistake.
Google software engineer Adam Langley said that in response, the firm has updated Chrome’s certificate revocation metadata on December 25 to block the intermediate certificate, and then alerted TURKTRUST and other browser vendors.
"On December 26, we pushed another Chrome metadata update to block the second mistaken CA certificate and informed the other browser vendors," Langley said.
An investigation led by TurkTrust revealed that in August 2011 the firm had issued the wrong security credential twice to organisations that should have instead received regular SSL certificates.
"Our actions addressed the immediate problem for our users," Langley added."Given the severity of the situation, we will update Chrome again in January to no longer indicate Extended Validation status for certificates issued by TURKTRUST, though connections to TURKTRUST-validated HTTPS servers may continue to be allowed."
Content from our partners
