Rogue Google web cert prompts Firefox, Chrome security update

Users of Google-related services, beware: a fraudulent SSL certificate for public websites belonging to Google Inc. has been discovered, prompting browser makers Mozilla and Google to ready patches for their respective browsers. Mozilla, which makes the open-source Firefox browser, said the questioned certificate has since been revoked by its issuer, DigiNotar. "(With the fraudulent SSL certificate), users on a compromised network could be directed to sites using a fraudulent certificate and mistake them for the legitimate sites. This could deceive them into revealing personal information such as usernames and passwords," it said in its security blog Tuesday (Manila time). Mozilla said the sites using a fraudulent certificate may also deceive users into downloading malware if they believe it is coming from a trusted site.It added it had received reports of these certificates being used "in the wild." A separate report on UK's The Register said the counterfeit Web certificate for Google.com can give attackers the encryption keys needed to impersonate Gmail and virtually every other digitally signed Google property. The Register reported this was at least the second time in five months that unauthorized parties have gotten hold of valid SSL certificates for sensitive websites. "If it's true that this credential is being used to snoop on Gmail users, there's no telling how long it will take to stop the attack," The Register added. "Because the extent of the mis-issuance is not clear, we are releasing new versions of Firefox for desktop (3.6.21, 6.0.1, 7, 8, and 9) and mobile (6.0.1, 7, 8, and 9), Thunderbird (3.1.13, and 6.0.1) and SeaMonkey (2.3.2) shortly that will revoke trust in the DigiNotar root and protect users from this attack," it said. Mozilla also posted a Web page with instructions on how to manually disable the DigiNotar root in Firefox. For its part, Google indicated it may mark DigiNotar as untrusted in the next release of its Chrome browser. Issue 7795014 on the Chromium Code Reviews website aims to "Mark DigiNotar as untrusted." A separate blog post by computer security firm Sophos indicated the falsely issued Google SSL certificate had been in the wild since July. "The certificate in question was issued on July 10th by Dutch SSL certificate authority DigiNotar. DigiNotar revoked the certificate (Monday) at 16:59:03 GMT, but many browsers do not check for revoked certificates by default. The certificate was valid for *.google.com and raises serious questions about who the certificate was issued to, and how it was signed," Sophos' Chester Wisniewski said. — TJD, GMA News