The bogus cert was reported Saturday on a Gmail help forum by a user named "Alibo," who lives in Iran.
"Today, when I [tried] to login to my Gmail account I saw a certificate warning in Chrome," the user wrote. The forum note included a link to a Pastebin file, which contains the text of the fake cert, issued July 10 by Dutch certificate authority (CA) DigiNotar, owned by Illinois-based security data security firm VASCO.
In most cases, users visiting websites that have been issued forged certs likely won't notice anything amiss, Christopher Soghoian, a noted privacy researcher, told SCMagazineUS.com on Monday. The browser typically blindly trusts whichever certificate it receives from the website, and the attacker can use that confidence to launch man-in-the-middle attacks.
The browser uses the fraudulent SSL certificate to open a secure connection to a malicious server, in this case claiming to be Gmail, which in turn opens a connection to the real Gmail server, Soghoian said. All the while, the attackers can listen in and steal sensitive information, such as login credentials.
"If you're doing the attack correctly, you hijack the connection," Soghoian said. "You make the user still go to Google, but you're still watching everything go back and forth...The ISP (internet service provider) needs to be in on the game. Presumably, the Iranian ISP was sending the fake certs to the users."
Browser maker Mozilla said Monday evening it planned to release updated versions of its Firefox product to "revoke trust in the DigiNotar root and protect users from this attack." The blog post confirmed in-the-wild attacks using the fake cert, and said Google notified Firefox about the issue.
Representatives from DigiNotar did not respond to a request for comment.
A Google spokesman said: "We're pleased that the security measures in Chrome protected the user and brought this attack to the public's attention. While we investigate, we plan to block any sites whose certificates were signed by DigiNotar."
SSL certificates enable a website to prove its identity to a browser, allowing users to connect securely and ensure they are communicating with the right site. But according to the digital watchdog group Electronic Frontier Foundation, there are some 650 trusted CAs.
And many times these companies don't perform the proper due diligence to make sure certs are issued to the valid site owner, Soghoian said.
Incompetence is one factor, but so is poor security. In March, hackers gained access to CA Comodo's certificate generation system to fabricate nine fraudulent certificates for big-name sites like Google, Yahoo, Skype and Microsoft's Hotmail. An independent Iranian hacker claimed responsibility.
"This is the second CA in less than six months that has issued a bogus cert for Gmail," Soghoian said. "All signs point to a state actor. Criminals go for money. Governments go for communications infrastructure."
These incidents should prompt Congress to take action, but so far lawmakers haven't, he said.
"There's the take-home message here that these CAs are too big to fail," he said. "If there was ever a security issue ripe for government intervention, this is it. How many Iranian certificates need to be issued before Congress gets involved? [But] the issue is really technically complex and I think that sort of spooked some of the folks in D.C."
One option is for the browser companies to fix the underlying issue all at once, so nobody risks losing customers if they get rattled during the repair process, Soghoian said.
At the recent Black Hat conference in Las Vegas, Moxie Marlinspike, co-founder and CTO of security and management solutions provider Whisper Systems, suggested a system overhaul.
Saying the current CA system was broken beyond repair, he released a tool designed to replace it.
The tool, called Convergence, is an add-on for Firefox, which essentially inverts the current CA system, giving more power to users. The tool allows users to decide which organizations to trust, instead of having to rely on the decisions of a site's administrator. Users would be able to take their pick of so-called “trust notaries," which would authorize their communications by default.