Cybersecurity: Crime and Espionage

Anyone Want A Bridge In Brooklyn? Cheap?

By Paul Rosenzweig
Thursday, January 3, 2013, 4:10 PM

If you do, perhaps you might also be willing to buy a cyber certificate from TURKTRUST.INC.

TURKTRUST is a certificate authority.  That means that it is authorized to issue certificates which tell you that you've reached an authentic web site.  So, for example, when you go to your web browser (whether Chrome, Mozilla or Internet Explorer) automatically checks the certificate presented by the web site for authenticity.  If the certificate matches its stored list of authentic web sites, your web browser loads the web site.  If the certificate doesn't match then your web browser re-directs you and saves you from going someplace fraudulent.

Now, when you are browsing to Lawfare, the authenticity of the site probably doesn't matter that much.  After all, Lawfare isn't asking you for personal information and you aren't sending money or entering a password when you get here.  But, with lots of other sites its much more important to know that the site you are going to is authentic -- virtually any commercial site where you spend money, or your bank for example.

So what happens, for example, if a certificate authority issues a fraudulent certificate to a malicious actor (let's say, hypothetically, a Russian cybermobster)?  Then, your communications are at risk of spoofing, and what we call a man-in-the middle attack.  Here's how it works.  You type in the web address of your bank, say --  But you are redirected to a phony web site that looks to you just like the real one.  And your web browser tells you it is real because the site has the phony certificate of trust from the certificate authority.  So when you go to log in with your user name and password, the fake web site in turn transmits that information to the real Chase web site and then mirrors the bank's response to you.  Sitting in the middle, the mobster transmits your information back and forth to the bank and all the while to you the transaction looks perfectly normal.

And then, when you log off, at his leisure the mobster can log in as you at the bank and this time he orders it to transfer your entire account to Romania.  So you can see why the issuance of certificates is critical to the chain of trust.  If you trust the certificate, you trust the site.

And that's why today's report from ZDNet is so troubling.  According to Microsoft, TURKTRUST created two subsidiary certificate authorities operated by .... wait for it ... the Turkish government.  One of those government subsidiaries, in turn, issued a fraudulent digital certificate for the * domain (the "*" is a general character that means the certificate works for or or any other Google application).  In theory at least, virtually any attempt to access a Google application is subject to possible misdirection and malicious activity -- quite possibly at the behest of the Turkish government.

The browser manufacturers have taken quick action -- Google, Microsoft and Mozilla have all announced that they will revoke the certificates immediately.

No doubt TURKTRUST will soon "apologize" for its mistake.  Me?  I'm not buying the bridge.