On Jan 3, 2013, at 7:57 PM, Andy Isaacson <[email protected]> wrote:
> On Thu, Jan 03, 2013 at 10:13:54AM -0800, Andy Isaacson wrote: >> http://googleonlinesecurity.blogspot.com/2013/01/enhancing-digital-certificate-security.html >> >> TURKTRUST told us that based on our information, they discovered >> that in August 2011 they had mistakenly issued two intermediate CA >> certificates to organizations that should have instead received >> regular SSL certificates. > > Microsoft's announcement provides the names of the two certificates. > > http://blogs.technet.com/b/msrc/archive/2013/01/03/security-advisory-2798897-released-certificate-trust-list-updated.aspx > > TURKTRUST Inc. incorrectly created two subsidiary Certificate > Authorities: (*.EGO.GOV.TR and e-islam.kktcmerkezbankasi.org). The > *.EGO.GOV.TR subsidiary CA was then used to issue a fraudulent > digital certificate to *.google.com. I just looked through our notary data - and we have not seen either of the intermediate certificates in any of the connections we monitor. That (probably) means that the certificates were not widely used to MITM connections. For people that do not know about our notary: We are currently passively monitoring the SSL connections of about 300k users at about 10 different mostly educational networks. Most (but not all) of them are in the US. Data collection has started in February. More details are available at http://notary.icsi.berkeley.edu. Bernhard
