The business responsible for issuing a bogus Google.com SSL certificate revealed Tuesday that its infrastructure was hacked.
The breach permitted the "fraudulent issuance of public key certificates for a number of domains, including Google.com," according to the statement from Illinois-based VASCO, which owns the Dutch-based DigiNotar, a certificate authority (CA).
Once it detected the hack on July 19, DigiNotar revoked all of the counterfeit certificates. But now the company admits that at least one remained live, the statement said.
Presumably, VASCO is referencing a public report from an Iranian user, who posted Saturday on a help forum that he received a certificate warning from his Chrome browser when he attempted to login to Gmail. The forum note included a link to a Pastebin file, which contains the text of the fake cert, issued July 10.
In response to this apparent in-the-wild attack, VASCO said it plans to indefinitely suspend the sale of its traditional and extended-validation (EV) SSL certificates.
"The company will only restart its SSL and EV SSL certificate activities after thorough additional security audits by third-party organizations," the statement said.
Top browser makers Mozilla and Microsoft also have responded, announcing they would remove the DigiNotar root certificate from their trust list.
Typically, users who visit websites that have been issued forged certs likely won't notice anything amiss, Christopher Soghoian, a noted privacy researcher, told SCMagazineUS.com on Monday. The browser typically blindly trusts whichever certificate it receives from the website, and the attacker can use that confidence to launch man-in-the-middle attacks and steal sensitive information, such as user credentials.
In an attempt to quell any speculation that hackers impacted other parts of VASCO's network, the company said the compromise was confined to its CA environment. VASCO makes authentication solutions similar to RSA, whose network was breached earlier this year in an attempt to steal information related to its SecurID product line."The technological infrastructures of VASCO and DigiNotar are completely separated, meaning that there is no risk for infection of VASCO's strong authentication business," the company said.
Regardless of the scope, the incident highlights the precarious nature of the current CA system.
In March, hackers gained access to competitor Comodo's certificate generation system to fabricate nine fraudulent credentials for big-name sites like Google, Yahoo, Skype and Microsoft's Hotmail. An independent Iranian hacker claimed responsibility.