French government CA attempts to explain certificate spoofing

Summary:The certificate authority which issued unauthorized certificates for Google domains issues a lame explanation which only makes the incident more suspicious.

As we have reported in the last few days, both  Google  and  Microsoft  have reported the creation of unauthorized SSL certificates for Google and other domains, issued by an improper intermediate certificate authority subordinate to the CA for the government of France.

That certificate authority released an announcement about the issue this past Saturday, December 7:

As a result of a human error which was made during a process aimed at strengthening the overall IT security of the French Ministry of Finance, digital certificates related to third-party domains which do not belong to the French administration have been signed by a certification authority of the DGTrésor (Treasury) which is attached to the IGC/A.

The mistake has had no consequences on the overall network security, either for the French administration or the general public. The aforementioned branch of the IGC/A has been revoked preventively.

The reinforcement of the whole IGC/A process is currently under supervision to make sure no incident of this kind will ever happen again.

Translated from bureaucratic/PR-speak, it says "Sorry we did this, no harm no foul, it won't happen again." But the explanation doesn't really make sense. It's not hard to see how, as part of an exercise, ANSSI (Agence nationale de la sécurité des systèmes d'information, the French government certificate authority) would create an intermediate certificate authority. There's no good reason for that authority, in an exercise or for any other function, to sign fake certificates for other organizations' domains.

One could speculate as to the reasons: It's possible that they were attempting to use fake certificates to spy on traffic to and from those sites. That would at least be a reason.

Another open question in this matter is how Google found out about it, especially if, as ANSSI says, "[T]he mistake has had no consequences on the overall network security, either for the French administration or the general public."

Topics: Security, Government

About

Larry Seltzer has long been a recognized expert in technology, with a focus on mobile technology and security in recent years. He was most recently Editorial Director of BYTE, Dark Reading and Network Computing at UBM Tech. Prior to that he spent over a decade consulting and writing on technology subjects, primarily in the area of sec... Full Bio

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.