CORRECTED - Turkish agency blamed by US companies for intercepted Web pages

Fri Jan 4, 2013 6:38am IST

Related Topics

Stocks

   

(Clarifies the agency in third paragraph)

By Joseph Menn

SAN FRANCISCO (Reuters) - An agency of the Turkish government deployed a deceptive version of some Google Inc (GOOG.O) web pages, possibly to monitor activity by its employees, major Internet companies said on Thursday.

The reports are the latest in a series of incidents in which hackers or governments have taken advantage of the loose rules surrounding the standard security for financial and other sensitive sites, those with Web addresses starting with Https.

In the most recent case, an Ankara public transit agency known as EGO, obtained the capacity to validate such Web pages from a Turkish Internet authority called TurkTrust, which is among the hundreds of entities treated as reliable by all major Internet browsers, Microsoft Corp (MSFT.O) said in a blog post.

Last month, EGO issued an improper certificate that told some visitors to Google they had reached it securely when they had not, Google said. The ruse was detected because unlike other browsers, Google's Chrome warns users and the company if an unexpected certificate is authenticating a Google site.

Google asked TurkTrust, which said it had "mistakenly" granted the right to authenticate any site to two organizations in August 2011. Google also warned browser makers including Microsoft and Mozilla, makers of Internet Explorer and Firefox, and all three will now block sites that were authenticated by EGO and another TurkTrust customer.

Though only Google was demonstrably faked, giving EGO access to Gmail and search activity, many other pages could have been faked without any of the real companies knowing about it. Spokesmen for the Turkish Embassy in Washington and the consulates in New York and Los Angeles could not be reached for comment.

Few details were provided by the technology companies, but one person involved with the issue said that it appeared that the fake Google.com had been displayed on one internal network.

"The logical theory is that the transportation agency was using it to spy on its own employees," said Chris Soghoian, a former Federal Trade Commission technology expert now working for the American Civil Liberties Union.

Validation authority alone isn't enough to intercept traffic, the most likely goal of the project. The authenticator would also have to come in contact with the Web user.

A similar situation developed in 2011, when Dutch certificate authority DigiNotar said it had been hacked and that certificates had been stolen. Google later warned that a fake certificate for its site was showing up in Iran, and it warned Gmail users in that country to change their passwords.

Soghoian and other technologists have complained for years that the system behind Https sites is broken, but the industry has been slow to change.

Among other issues, the certificate authorities can resell the right to authenticate and don't have to disclose who their customers are.

"The entire Web relies on every single certificate authority being honest and secure," Soghoian said. "It's a ticking time bomb." (Reporting by Joseph Menn; Editing by Steve Orlofsky)

FILED UNDER:
Comments (0)
This discussion is now closed. We welcome comments on our articles for a limited period after their publication.

  • Most Popular
  • Most Shared

REUTERS SHOWCASE

Mt Gox Update

Mt Gox Update

Mt Gox set to liquidate as court denies rehabilitation.  Full Article 

New Culture

New Culture

New CEO Nadella pushes data culture at Microsoft.  Full Article 

Upbeat on S5

Upbeat on S5

Samsung executive says Galaxy S5 to outsell S4, sees Q2 rollout for Tizen phone.  Full Article 

Mobile Safety

Mobile Safety

Smartphone makers, carriers embrace anti-theft initiative.  Full Article 

Bitcoin Saga

Bitcoin Saga

Defunct bitcoin exchange Mt. Gox files for liquidation - WSJ.  Full Article 

Yahoo Result

Yahoo Result

Yahoo's growth anemic as turnaround chugs along.  Full Article 

Tech Acquisition

Tech Acquisition

Twitter buys social data provider Gnip, stock soars.  Full Article 

Leave Steve Out

Leave Steve Out

Keep Steve Jobs' personality out of trial - tech companies.  Full Article 

Beating Estimate

Beating Estimate

Intel's first-quarter net profit falls but beats Street.  Full Article 

Reuters India Mobile

Reuters India Mobile

Get the latest news on the go. Visit Reuters India on your mobile device.  Full Coverage