Google has warned of unauthorised digital certificates issued for several of its domains that could be used to intercept data traffic to its services.
“CNNIC is included in all major root stores and so the mis-issued certificates would be trusted by almost all browsers and operating systems,” Langley wrote in a blog post.
However, he said Chrome on Windows, OS X, and Linux, ChromeOS, and Firefox 33 and newer will rejected these certificates because of public-key pinning.
Public-key pinning enables online services to specify which certificate authorities have issued valid digital certificates for their sites and reject ones that have not come from known authorities.
Read more about SSL vulnerabilities
- PrivDog compromises the secure sockets layer (SSL) protocol used to secure online transactions.
- The Poodle SSL vulnerability has been patched, yet new vulnerabilities are causing concern.
- Researchers say the SSL flaw in Microsoft Windows could be worse than Heartbleed.
- Following Heartbleed, six more OpenSSL vulnerabilities have been discovered.
Rash of fake certificate security issues
The fake Google certificates are the latest in a string of security issues that have hit the secure sockets layer/transport layer security (SSL/TLS) encryption system used to secure internet https connections.
Earlier in March 2015, Microsoft warned that an SSL certificate for the domain live.fi had been “improperly issued” and could be used to spoof content and perform phishing attacks or man in the middle attacks.
Apple patched a critical SSL flaw in iOS and Mac OS about a year ago, but that has since been followed by other SSL flaws better known as Heartbleed, Poodle, Superfish, PrivDog and the Freak vulnerability.
Google alerted CNNIC and other major browsers about the incident, and CNNIC responded by saying it had contracted with MCS Holdings on the basis that MCS would only issue certificates for domains they had registered.
“However, rather than keep the private key in a suitable HSM (hardware security module), MCS installed it in a man-in-the-middle proxy,” said Langley.
“These devices intercept secure connections by masquerading as the intended destination and are sometimes used by companies to intercept their employees’ secure traffic for monitoring or legal reasons.”
Auditing SSL certificates in real time
In these cases, employees’ computers have to be configured to trust a proxy. But in this case, the presumed proxy was given the full dominion of a public certificate authority (CA).
Langley said there is no indication unauthorised certificates have been abused, but said the incident represents a serious breach of the CA system.
He also said the incident highlights that Google’s Certificate Transparency effort is critical for protecting the security of certificates in the future.
Certificate Transparency helps eliminate security flaws in the system by providing an open framework for monitoring and auditing SSL certificates in near real time.
Certificate Transparency makes it possible to detect SSL certificates that have been mistakenly issued by a certificate authority or maliciously acquired from an otherwise unimpeachable certificate authority.
It also makes it possible to identify certificate authorities that have gone rogue and are maliciously issuing certificates, according to Google.