Microsoft has released a security advisory concerning a fraudulent digital certificate for all Google domains apparently created by the Turkish government. The certificate, which was created by a subsidiary Certificate Authority issued to the transportation directorate of the city government of Ankara, could have been used to intercept SSL traffic as part of a "man in the middle" attack to spoof Google's encryption certificate and decrypt secure Web sessions to Google Plus and GMail.

According to a statement from the Turkish certificate authority Turktrust, the organization mistakenly issued two organizations subsidiary CA certificates in 2011—created during testing of Turktrust's certificate production system—instead of the standard SSL certificates they were supposed to receive. Subsidiary CA certificates give the holder the ability to issue SSL certificates with the original CA's authority.

According to Turktrust, one of the two subsidiary CAs was revoked before it was used. But the second, issued to EGO.GOV.TR, was installed on a Microsoft Internet Information Services (IIS) server used for webmail by the agency until December 6—when the certificate and key was transferred to a CheckPoint firewall. The firewall, which has deep packet inspection and SSL interception features, automatically created man-in-the-middle certificates when the CA certificate was added to it, Turktrust said.

The problem slipped past until December 24, when it was detected by Google through reports from the Chrome browser. On December 25, Google's Chrome security team pushed out an update of the browser's certificate revocation metadata to block certificates from the subsidiary CA, and then pushed out another update the next day when it learned Turktrust had issued a second (allegedly unused) subsidiary CA. Microsoft has pushed out a similar revocation, though users of Windows XP will have to manually remove the certificate from their trusted lists.

Turktrust officials said that there is no evidence that the certificate was used for "dishonest purposes," or that there was a breach of the security of Turktrust's systems as a result.