TurkTrust Incident

As the Mozilla security blog post outlines, we recently explicitly dis-trusted two mis-issued intermediate certificates from a CA called TurkTrust. We have also suspended the addition of a replacement root of theirs to our root store while we consider our options.

The advisories for other CAs are linked from the Opera advisory. Two browsers have revoked the EV status from TurkTrust’s root. It is worth noting in this connection that the two roots which are currently in Mozilla’s root store are not EV-enabled. The replacement root was due to be (bug 788321), but was not at the time that its inclusion was suspended.

For those interested in the technical details of what happened, TurkTrust have posted two messages on the CAB Forum public mailing list which set out the story from their point of view, and also give some pieces of their root cause analysis.

Their explanation is, in short, that there was a technical mix-up of certificate profiles between a test and a production system. Two “intermediate cert” profiles added only to the test system were mistakenly added to the production system under identifiers which were already allocated for other profiles – and so were used to issue two certificates. When the profile mismatch was found and corrected, that “solved” the problem, and no further certs were mis-issued. This happened 18 months ago, and only came to light when (it seems) the organization which was given one of these mis-issued certificates decided to use it for MITM in their corporate firewall.