This article is from the source 'bbc' and was first published or seen on . It last changed over 40 days ago and won't be checked again for changes.
You can find the current article at its original source at http://www.bbc.co.uk/news/technology-20908546
The article has changed 4 times. There is an RSS feed of changes available.
| Version 0 | Version 1 |
|---|---|
| Cyber thieves pose as Google+ social network | Cyber thieves pose as Google+ social network |
| (about 11 hours later) | |
| Web browser makers have rushed to fix a security lapse that cyber thieves abused to impersonate Google+ | Web browser makers have rushed to fix a security lapse that cyber thieves abused to impersonate Google+ |
| The loophole exploited ID credentials that browsers use to ensure a website is who it claims to be. | The loophole exploited ID credentials that browsers use to ensure a website is who it claims to be. |
| By using the fake credentials, criminals created a website that purported to be part of the Google+ social media network. | By using the fake credentials, criminals created a website that purported to be part of the Google+ social media network. |
| The fake ID credentials have been traced back to Turkish security firm TurkTrust which mistakenly issued them. | The fake ID credentials have been traced back to Turkish security firm TurkTrust which mistakenly issued them. |
| Secure code | Secure code |
| An investigation by TurkTrust revealed that in August 2011 it twice accidentally issued the wrong type of security credential, a form of identification known as an intermediate certificate. Instead of issuing low level certificates it mistakenly gave out two "master keys" that are typically only given to owners of websites. This master key is a guarantee of a site's identity. | An investigation by TurkTrust revealed that in August 2011 it twice accidentally issued the wrong type of security credential, a form of identification known as an intermediate certificate. Instead of issuing low level certificates it mistakenly gave out two "master keys" that are typically only given to owners of websites. This master key is a guarantee of a site's identity. |
| "These certificates could be used to impersonate any website to any browser without the end user being alerted that anything is wrong," wrote security analyst Chester Wisniewski from Sophos in a blogpost about the security lapse. | "These certificates could be used to impersonate any website to any browser without the end user being alerted that anything is wrong," wrote security analyst Chester Wisniewski from Sophos in a blogpost about the security lapse. |
| The certificates are important, he said, because secure use of web shops and other services revolve around interaction between the master keys and the lower level security credentials. | The certificates are important, he said, because secure use of web shops and other services revolve around interaction between the master keys and the lower level security credentials. |
| The lapse was spotted when automatic checks built in to Google's Chrome browser noticed the fake credentials. | The lapse was spotted when automatic checks built in to Google's Chrome browser noticed the fake credentials. |
| Google, Microsoft and Firefox developer Mozilla have all issued updates which revoke the two wrongly issued master security certificates. | |
| This is not the first time that websites and browser makers have had a problem with security certificates. Fake certificates have been issued before now by several other firms and exposed confidential data including login names and passwords. | This is not the first time that websites and browser makers have had a problem with security certificates. Fake certificates have been issued before now by several other firms and exposed confidential data including login names and passwords. |
| "It is really time we move on from this 20-year-old, poorly implemented system," wrote Mr Wisniewski. "It doesn't need to be perfect to beat what we have." | "It is really time we move on from this 20-year-old, poorly implemented system," wrote Mr Wisniewski. "It doesn't need to be perfect to beat what we have." |