Microsoft has released a security advisory concerning a fraudulent digital certificate for all Google domains apparently created by the Turkish government. The certificate, which was created by a subsidiary Certificate Authority issued to the transportation directorate of the city government of Ankara, could have been used to intercept SSL traffic as part of a "man in the middle" attack to spoof Google's encryption certificate and decrypt secure Web sessions to Google Plus and GMail.
According to a statement from the Turkish certificate authority Turktrust, the organization mistakenly issued two organizations subsidiary CA certificates in 2011—created during testing of Turktrust's certificate production system—instead of the standard SSL certificates they were supposed to receive. Subsidiary CA certificates give the holder the ability to issue SSL certificates with the original CA's authority.
According to Turktrust, one of the two subsidiary CAs was revoked before it was used. But the second, issued to EGO.GOV.TR, was installed on a Microsoft Internet Information Services (IIS) server used for webmail by the agency until December 6—when the certificate and key was transferred to a CheckPoint firewall. The firewall, which has deep packet inspection and SSL interception features, automatically created man-in-the-middle certificates when the CA certificate was added to it, Turktrust said.