[Story updated 1.4.12; see below]

Santa wasn't the only one sneaking around on Christmas Eve this year. Google says that someone was caught trying to use an unauthorized digital certificate issued in its name in an attempt to impersonate Google.com for a man-in-the-middle attack.

Google revealed in a blog post Thursday that its Chrome web browser detected the certificate being used late on the evening of Dec. 24 and immediately blocked it.

The unauthorized certificate was created after a Trusted Root certificate authority in Turkey, Turktrust, issued intermediate Certificate Authority certificates to two entities last year that should not have received them. Turktrust told Google that it issued the two CA certificates by mistake, inadvertently giving the two entities certificate authority status.

With CA status, the two entities could then generate digital certificates, like a trusted certificate authority, for any domain. These digital certificates could then be misused to intercept traffic intended for that domain in order to steal log-in credentials or read communication.

Google did not identify the two entities who were issued CA certificates, but Microsoft identified them in a blog post as *.EGO.GOV.TR, a Turkish government agency that operates buses and other public transportation in that country, and http://e-islam.kktcmerkezbankasi.org, a domain that does not currently resolve to anything.

The unauthorized Google.com certificate was generated under the *.EGO.GOV.TR certificate authority and was being used to man-in-the-middle traffic on the *.EGO.GOV.TR network. Google's spokesman said the unauthorized Google certificate was created sometime in early December, fourteen months after Turktrust issued the CA certificate to *.EGO.GOV.TR.

The *.google.com certificate, a so-called wild-card certificate, would have allowed whoever was using it to intercept and read any communication that passed from users on the *.EGO.GOV.TR network to any google.com domain, including encrypted Gmail traffic.

[Update: Turktrust published a blog post on Thursday providing more details about what happened. According to the post, a firewall automatically generated the Google certificate on Dec. 6, due to a quirk in its configuration.

"Before the December 6, 2012, the [CA authority] certificate was installed on an IIS as a web mail server," Turktrust writes in the post. "On December 6, 2012, the cert (and the key) was exported to a new firewall. It was the same day as the issuance of the fraudulent certificate (*.google.com). The firewall was said to be configured as MITM. It appears that the firewall automatically generates MITM certificates once a CA cert was installed (http://www.gilgil.net/communities/19714)."]

Google engineers have updated Chrome's revocation list to block any other unauthorized certificates that might have been issued by the two companies. Google also notified Microsoft and Mozilla so that they could update their browsers to block certificates from these companies. Mozilla said in a blog post that it was also suspending Turktrust from inclusion in its trusted root certificate list pending further investigation into how the mixup occurred.

This is at least the third time that a fraudulent certificate for Google has been issued. In 2011, a hacker was able to trick a certificate authority in Europe, Comodo Group, into issuing him fraudulent certificates for domains belonging to Google, Microsoft and Yahoo.

A couple of months later, intruders broke into the network of Dutch certificate authority DigiNotar and were able to issue themselves more than 200 fraudulent certificates, including one for Google.