French government CA attempts to explain certificate spoofing

French government CA attempts to explain certificate spoofing

Summary: The certificate authority which issued unauthorized certificates for Google domains issues a lame explanation which only makes the incident more suspicious.

SHARE:

As we have reported in the last few days, both Google and Microsoft have reported the creation of unauthorized SSL certificates for Google and other domains, issued by an improper intermediate certificate authority subordinate to the CA for the government of France.

That certificate authority released an announcement about the issue this past Saturday, December 7:

As a result of a human error which was made during a process aimed at strengthening the overall IT security of the French Ministry of Finance, digital certificates related to third-party domains which do not belong to the French administration have been signed by a certification authority of the DGTrésor (Treasury) which is attached to the IGC/A.

The mistake has had no consequences on the overall network security, either for the French administration or the general public. The aforementioned branch of the IGC/A has been revoked preventively.

The reinforcement of the whole IGC/A process is currently under supervision to make sure no incident of this kind will ever happen again.

Translated from bureaucratic/PR-speak, it says "Sorry we did this, no harm no foul, it won't happen again." But the explanation doesn't really make sense. It's not hard to see how, as part of an exercise, ANSSI (Agence nationale de la sécurité des systèmes d'information, the French government certificate authority) would create an intermediate certificate authority. There's no good reason for that authority, in an exercise or for any other function, to sign fake certificates for other organizations' domains.

One could speculate as to the reasons: It's possible that they were attempting to use fake certificates to spy on traffic to and from those sites. That would at least be a reason.

Another open question in this matter is how Google found out about it, especially if, as ANSSI says, "[T]he mistake has had no consequences on the overall network security, either for the French administration or the general public."

Topics: IT Security in the Snowden Era, Government, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

1 comment
Log in or register to join the discussion
  • Should have consulted with the NSA to see how they do it.

    Rank amateurs. Sacre bleu! Mon Dieu!
    IT_Fella