Special Feature
Part of a ZDNet Special Feature: IT Security in the Snowden Era

French government CA attempts to explain certificate spoofing

The certificate authority which issued unauthorized certificates for Google domains issues a lame explanation which only makes the incident more suspicious.

As we have reported in the last few days, both  Google  and  Microsoft  have reported the creation of unauthorized SSL certificates for Google and other domains, issued by an improper intermediate certificate authority subordinate to the CA for the government of France.

That certificate authority released an announcement about the issue this past Saturday, December 7:

As a result of a human error which was made during a process aimed at strengthening the overall IT security of the French Ministry of Finance, digital certificates related to third-party domains which do not belong to the French administration have been signed by a certification authority of the DGTrésor (Treasury) which is attached to the IGC/A.

The mistake has had no consequences on the overall network security, either for the French administration or the general public. The aforementioned branch of the IGC/A has been revoked preventively.

The reinforcement of the whole IGC/A process is currently under supervision to make sure no incident of this kind will ever happen again.

Translated from bureaucratic/PR-speak, it says "Sorry we did this, no harm no foul, it won't happen again." But the explanation doesn't really make sense. It's not hard to see how, as part of an exercise, ANSSI (Agence nationale de la sécurité des systèmes d'information, the French government certificate authority) would create an intermediate certificate authority. There's no good reason for that authority, in an exercise or for any other function, to sign fake certificates for other organizations' domains.

One could speculate as to the reasons: It's possible that they were attempting to use fake certificates to spy on traffic to and from those sites. That would at least be a reason.

Another open question in this matter is how Google found out about it, especially if, as ANSSI says, "[T]he mistake has had no consequences on the overall network security, either for the French administration or the general public."

Newsletters

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.
See All