Google warns of fake digital certificates

Google has warned of unauthorised digital certificates issued for several of its domains that could be used to intercept data traffic

Google has warned of unauthorised digital certificates issued for several of its domains that could be used to intercept data traffic to its services.

The fake certificates were issued by intermediate certificate authority CNNIC which is owned by MCS Holdings, said Google engineer Adam Langley.

“CNNIC is included in all major root stores and so the mis-issued certificates would be trusted by almost all browsers and operating systems,” Langley wrote in a blog post.

However, he said Chrome on Windows, OS X, and Linux, ChromeOS, and Firefox 33 and newer will rejected these certificates because of public-key pinning.

Public-key pinning enables online services to specify which certificate authorities have issued valid digital certificates for their sites and reject ones that have not come from known authorities.

Read more about SSL vulnerabilities

Rash of fake certificate security issues

The fake Google certificates are the latest in a string of security issues that have hit the secure sockets layer/transport layer security (SSL/TLS) encryption system used to secure internet https connections.

Earlier in March 2015, Microsoft warned that an SSL certificate for the domain had been “improperly issued” and could be used to spoof content and perform phishing attacks or man in the middle attacks.

Apple patched a critical SSL flaw in iOS and Mac OS about a year ago, but that has since been followed by other SSL flaws better known as HeartbleedPoodle, Superfish, PrivDog and the Freak vulnerability.

Google alerted CNNIC and other major browsers about the incident, and CNNIC responded by saying it had contracted with MCS Holdings on the basis that MCS would only issue certificates for domains they had registered.

“However, rather than keep the private key in a suitable HSM (hardware security module), MCS installed it in a man-in-the-middle proxy,” said Langley.

“These devices intercept secure connections by masquerading as the intended destination and are sometimes used by companies to intercept their employees’ secure traffic for monitoring or legal reasons.”

Auditing SSL certificates in real time

In these cases, employees’ computers have to be configured to trust a proxy. But in this case, the presumed proxy was given the full dominion of a public certificate authority (CA).

Langley said there is no indication unauthorised certificates have been abused, but said the incident represents a serious breach of the CA system.

He also said the incident highlights that Google’s Certificate Transparency effort is critical for protecting the security of certificates in the future.

Certificate Transparency helps eliminate security flaws in the system by providing an open framework for monitoring and auditing SSL certificates in near real time.

Certificate Transparency makes it possible to detect SSL certificates that have been mistakenly issued by a certificate authority or maliciously acquired from an otherwise unimpeachable certificate authority.

It also makes it possible to identify certificate authorities that have gone rogue and are maliciously issuing certificates, according to Google.

Read more on Hackers and cybercrime prevention

Data Center
Data Management