03.01 20130

TURKTRUST – Fraudulent digital certificates could allow spoofing = DigiNotar – The Sequel?

By: Matthijs Wijers Categories:Microsoft, Security

TrukTrust logoMicrosoft has released a Microsoft security advisory (http://support.microsoft.com/kb/2798897) about this issue for IT professionals. This update is released for all supported versions of Microsoft Windows. This update revokes the trust of the following certificates by putting them in the Microsoft Untrusted Certificate Store:

*.google.com issued by *.EGO.GOV.TR
e-islem.kktcmerkezbankasi.org issued by TURKTRUST Elektronik Sunucu Sertifikasi Hizmetleri
*.EGO.GOV.TR issued by TURKTRUST Elektronik Sunucu Sertifikasi Hizmetleri

If you look at these 3 certificates in the registry (untrusted certificate store), you can find them (as blobs) with the following thumbprints:

[HKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\C69F28C825139E65A646C434ACA5A1D200295DB1]
*.EGO.GOV.TR issued by TURKTRUST Elektronik Sunucu Sertifikasi Hizmetleri (8-8-2011)

[HKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\4D8547B7F864132A7F62D9B75B068521F10B68E3]
*.google.com issued by *.EGO.GOV.TR (6-12-2012)

[HKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\F92BE5266CC05DB2DC0DC3F2DC74E02DEFD949CB]
e-islem.kktcmerkezbankasi.org issued by TURKTRUST Elektronik Sunucu Sertifikasi Hizmetleri (8-8-2011)

The *.google.com certifcate seems to be issued by *.EGO.GOV.TR, look at the long list of SANs in this certificate:

DNS Name=*.google.com
DNS Name=*.android.com

DNS Name=*.appengine.google.com
DNS Name=*.cloud.google.com
DNS Name=*.google-analytics.com
DNS Name=*.google.ca
DNS Name=*.google.cl
DNS Name=*.google.co.in
DNS Name=*.google.co.jp
DNS Name=*.google.co.uk
DNS Name=*.google.com.ar
DNS Name=*.google.com.au
DNS Name=*.google.com.br
DNS Name=*.google.com.co
DNS Name=*.google.com.mx
DNS Name=*.google.com.tr
DNS Name=*.google.com.vn
DNS Name=*.google.de
DNS Name=*.google.es
DNS Name=*.google.fr
DNS Name=*.google.hu
DNS Name=*.google.it
DNS Name=*.google.nl
DNS Name=*.google.pl
DNS Name=*.google.pt
DNS Name=*.googleapis.cn
DNS Name=*.googlecommerce.com
DNS Name=*.gstatic.com
DNS Name=*.urchin.com
DNS Name=*.url.google.com
DNS Name=*.youtube-nocookie.com
DNS Name=*.youtube.com
DNS Name=*.ytimg.com
DNS Name=android.com
DNS Name=g.co
DNS Name=goo.gl
DNS Name=google-analytics.com
DNS Name=google.com
DNS Name=googlecommerce.com
DNS Name=urchin.com
DNS Name=youtu.be
DNS Name=youtube.com

The certificate blobs to import in the untrusted certificate store in the registry

Comments are closed.