/>
X

French government CA attempts to explain certificate spoofing

The certificate authority which issued unauthorized certificates for Google domains issues a lame explanation which only makes the incident more suspicious.
larry-seltzer-thumb.jpg
Written by Larry Seltzer, Contributing Editor on

As we have reported in the last few days, both Google and Microsoft have reported the creation of unauthorized SSL certificates for Google and other domains, issued by an improper intermediate certificate authority subordinate to the CA for the government of France.

That certificate authority released an announcement about the issue this past Saturday, December 7:

As a result of a human error which was made during a process aimed at strengthening the overall IT security of the French Ministry of Finance, digital certificates related to third-party domains which do not belong to the French administration have been signed by a certification authority of the DGTrésor (Treasury) which is attached to the IGC/A.

The mistake has had no consequences on the overall network security, either for the French administration or the general public. The aforementioned branch of the IGC/A has been revoked preventively.

The reinforcement of the whole IGC/A process is currently under supervision to make sure no incident of this kind will ever happen again.

Translated from bureaucratic/PR-speak, it says "Sorry we did this, no harm no foul, it won't happen again." But the explanation doesn't really make sense. It's not hard to see how, as part of an exercise, ANSSI (Agence nationale de la sécurité des systèmes d'information, the French government certificate authority) would create an intermediate certificate authority. There's no good reason for that authority, in an exercise or for any other function, to sign fake certificates for other organizations' domains.

One could speculate as to the reasons: It's possible that they were attempting to use fake certificates to spy on traffic to and from those sites. That would at least be a reason.

Another open question in this matter is how Google found out about it, especially if, as ANSSI says, "[T]he mistake has had no consequences on the overall network security, either for the French administration or the general public."

Related

FBI and NSA say: Stop doing these 10 things that let the hackers in
getty-a-stressed-man-at-a-computer-in-a-dark-office.jpg

FBI and NSA say: Stop doing these 10 things that let the hackers in

Security
Why you should install iOS 15.5 now
ios-15.png

Why you should install iOS 15.5 now

iOS
NASA is investigating this 'mystery' data coming from Voyager 1
voyager-illustration-with-stars-16-width-1320.jpg

NASA is investigating this 'mystery' data coming from Voyager 1

Networking