(Clarifies the agency in third paragraph)
By Joseph Menn
SAN FRANCISCO Jan 3 An agency of the Turkish
government deployed a deceptive version of some Google Inc
web pages, possibly to monitor activity by its
employees, major Internet companies said on Thursday.
The reports are the latest in a series of incidents in which
hackers or governments have taken advantage of the loose rules
surrounding the standard security for financial and other
sensitive sites, those with Web addresses starting with Https.
In the most recent case, an Ankara public transit agency
known as EGO, obtained the capacity to validate such Web pages
from a Turkish Internet authority called TurkTrust, which is
among the hundreds of entities treated as reliable by all major
Internet browsers, Microsoft Corp said in a blog post.
Last month, EGO issued an improper certificate that told
some visitors to Google they had reached it securely when they
had not, Google said. The ruse was detected because unlike other
browsers, Google's Chrome warns users and the company if an
unexpected certificate is authenticating a Google site.
Google asked TurkTrust, which said it had "mistakenly"
granted the right to authenticate any site to two organizations
in August 2011. Google also warned browser makers including
Microsoft and Mozilla, makers of Internet Explorer and Firefox,
and all three will now block sites that were authenticated by
EGO and another TurkTrust customer.
Though only Google was demonstrably faked, giving EGO access
to Gmail and search activity, many other pages could have been
faked without any of the real companies knowing about it.
Spokesmen for the Turkish Embassy in Washington and the
consulates in New York and Los Angeles could not be reached for
Few details were provided by the technology companies, but
one person involved with the issue said that it appeared that
the fake Google.com had been displayed on one internal network.
"The logical theory is that the transportation agency was
using it to spy on its own employees," said Chris Soghoian, a
former Federal Trade Commission technology expert now working
for the American Civil Liberties Union.
Validation authority alone isn't enough to intercept
traffic, the most likely goal of the project. The authenticator
would also have to come in contact with the Web user.
A similar situation developed in 2011, when Dutch
certificate authority DigiNotar said it had been hacked and that
certificates had been stolen. Google later warned that a fake
certificate for its site was showing up in Iran, and it warned
Gmail users in that country to change their passwords.
Soghoian and other technologists have complained for years
that the system behind Https sites is broken, but the industry
has been slow to change.
Among other issues, the certificate authorities can resell
the right to authenticate and don't have to disclose who their
"The entire Web relies on every single certificate authority
being honest and secure," Soghoian said. "It's a ticking time
(Reporting by Joseph Menn; Editing by Steve Orlofsky)