There was a bit of a panic in the internet security world yesterday when Google revealed that a couple of completely random and totally dodgy Turkish websites are in possession of incredibly valuable digital certificates that can trick your browser into giving away all your Google details to some stranger. Needless to say, Google’s security bods were in a bit of a tizzy.
The problem arose from a Turkish issuer of “intermediate Certificate Authority” certificates, who gave away Google Certificate Authority certificates to two entities who should only have got SSL certificates. Still with me? Good. Basically, this is like accidentally giving people admin status rather than user status on a computer network; with this authority, the two entities could generate digital certificates (the things browsers use to see if a site’s dodgy or not) for any domain.
The short version of this is: by accident, two random Turkish websites could pose as legitimate Google websites and nick log-in credentials or read communications for a site. This is what internet security pros have rabid nightmares about. It’s like handing some immature kiddies the keys to the Bank of England and telling them to have fun.
Of course, Google didn’t exactly sit on its arse when it learned about the problem. In fact, it updated Chrome, and the last dodgy certificate stopped working on Boxing Day. Microsoft and Mozilla followed suit and now, dear readers, you should be safe from some Turkish dude in a steam-bath somewhere nicking your Gmail login details. Probably. [Google Online Security via The Register]