Google and Mozilla have announced that they've revoked two certificates erroneously issued by TurkTrust. Google says that an unauthorized digital certificate for the google.com was detected on Christmas Eve.
The certificate was blocked in Chrome immediately and it was traced back to an intermediate certificate authority covered by TurkTrust certificate authority (CA).
"In response, we updated Chrome’s certificate revocation metadata on December 25 to block that intermediate CA, and then alerted TURKTRUST and other browser vendors," Google explained
"TURKTRUST told us that based on our information, they discovered that in August 2011 they had mistakenly issued two intermediate CA certificates to organizations that should have instead received regular SSL certificates," it added.
Google blocked both certificates in Chrome on December 26. It now plans to no longer display "Extended Validation" status in Chrome for any certificate issued by TurkTrust. It's debating whether to also block any connection to HTTPS sites validated by the CA.
Mozilla announced that it too was revoking trust for the two problem certificates in a Firefox update landing next Tuesday. TurkTrust's root certificate is also being excluded from Firefox for the time being. Microsoft is doing the same, as are other browser vendors.