However, on Dec. 6 someone installed the Web mail sub-CA certificate and its corresponding private key in a firewall appliance manufactured by Check Point that was configured to run as a man-in-the-middle proxy, Turktrust said. That same day, the firewall used it to generate a fraudulent certificate for *.google.com.
"It appears that the firewall automatically generates MITM certificates once a CA cert is installed," Turktrust said.
The CA did not name the customers that received the two intermediate CA certificates, but according to a Microsoft security advisory published Thursday, they were issued for e-islem.kktcmerkezbankasi.org, a domain that belongs to the Central Bank of the Turkish Republic of Northern Cyprus and *.EGO.GOV.TR, the domain of the EGO General Directorate, an agency of the Municipality of Ankara that provides public services related to electricity, gas and transportation.
The unauthorized *.google.com certificate appears to have been issued using the *.EGO.GOV.TR sub-CA certificate.
According to documentation published on Check Point's website, some of its gateway security products do have HTTPS inspection capabilities. By default this feature uses a self-signed CA certificate that needs to be deployed on the network computers before it can be used to inspect HTTPS traffic without triggering certificate warnings in browsers.
However, the feature also allows customers to import their own CA certificate, which is what happened with the *.EGO.GOV.TR sub-CA certificate.
"The available data strongly suggests that the *.google.com cert was not issued for dishonest purposes or has not been used for such a purpose," Turktrust said. The company also stressed that there is no evidence of a security breach on its systems.
"I don't have enough experience with Checkpoint firewalls, but after looking at the details, this seems like a plausible scenario," Robert Graham, the CEO of security firm Errata Security, said Thursday in a blog post. "It's quite possible that the MitM was essentially accidental."
Other people are not that convinced that this was an accident. "Why would a certificate intended for end-entity SSL use (albeit actually enabled for CA use) be installed on a 'firewall'? What was the system administrator's intent?," Stephen Schultze, the associate director of the Center for Information Technology Policy at Princeton University, asked late Thursday on a Mozilla mailing list where the incident is being discussed.
"On what network was this Checkpoint device installed, and what set of users were being MITM'ed? Specific IP [Internet Protocol] blocks would be helpful," Schultze said in response to a message posted on the list by Mert Ozarar, project manager at Turktrust.
"We are certainly not in position to answer these questions to full extent," Turktrust said in a response posted Friday on the same mailing list. "However, it is almost apparent that the agency has wanted to configure the firewall as a MITM proxy for their internal users. Our thorough OCSP [Online Certificate Status Protocol] analysis has also supported this in the sense that almost 96% of OCSP requests stemmed from the EGO domain."
Sign up for CIO Asia eNewsletters.