TURKTRUST: No harm from fake digital certificates

“We would like to emphasize once more that there is no malevolence, fraud or any other crime factor as well as an attack to our systems within the case,” TURKTRUST said in an online statement.

Over Christmas Eve and Christmas Day, Google’s Chrome security team became aware of a fraudulent Google certificate. After some investigation, it became clear that TURKTRUST issued two faulty SSL certificates accidentally in August 2012, during a defective data migration and software upgrade process. Google alerted Microsoft and Mozilla that Internet Explorer and Firefox may be similarly at risk, and the three subsequently blocked the certificates.

An online forum on the matter has been abuzz with discussion as to how it happened and the extent of the possible damage. An attacker armed with a fraudulent SSL certificate and an ability to control their victim’s network could impersonate websites, luring users into trusting apparently official websites and then launching malware or clickjacking schemes.

TURKTRUST said that there is no evidence of foul play due to the mistake. “Upon the notification of the Internet browsers on December 26, 2012, one of the faulty certificates, that had been valid by then, was immediately revoked,” TURKTRUST noted. “All our systems were explored in depth and the root cause of the problem was identified. The data revealed that the instance was unique, and restricted only to this case. There is also no evidence of any attack or hacking attempt on our systems, as well as no implication of any malicious usage.”

Nonetheless, TURKTRUST said that the media coverage has in some instances been skewed, painting the company as a perpetrator and unreliable source. “It was seen that on some news and social media writings, incomplete or wrong statements are used and the truth was perverted with controversial reasons without respecting the principles of impartiality and specialization,” the company said. “Our attempts continue to correct similar news published in national and international press. It is inappropriate and unfair to use statements comprising blames and accusations without any solid grounds that will hurt the reputation of our company and the government organizations mentioned.”

What’s Hot on Infosecurity Magazine?