Google security slammed by fake web certificates

The tech giant's security has been compromised due to unauthorized digital certificates being issued based on its domains.


Google has admitted that unauthorized digital certificates have been issued for a number of the company's domains.

Google security engineer Adam Langley said the company became aware of unauthorized digital certificates being issued for several Google domains on March 20. In a blog post on Monday, the engineer said the certificates were issued by an intermediate certificate authority which the tech giant believes is held by a company called MCS Holdings, an Egyptian company which operates under the China Internet Network Information Center (CNNIC).

CNNIC is included in all major root stores and so "the misissued certificates would be trusted by almost all browsers and operating systems," Langley says. However, a fail-safe process called public-key pinning -- which tells web clients to associate particular cryptographic public keys with specific web servers -- will keep Chrome on Windows, OS X, and Linux, ChromeOS, and Firefox 33 and above from accepting such fake certificates.

See also: Ted Cruz dot com: A domain name cautionary tale

Google says that upon discovery, the firm alerted CNNIC and "other major browsers" about the security incident, and blocked the MCS Holdings certificate immediately in Chrome with a CRLSet push. Over the weekend, CNNIC responded and explained they had "contracted with MCS Holdings on the basis that MCS would only issue certificates for domains that they had registered." However, instead of keeping private keys in a suitable hardware security module, MCS installed it in a man-in-the-middle proxy.

Man-in-the-middle proxies intercept secure connections by pretending to be the intended destination of traffic and can be used in a variety of ways, such as monitoring employee browsing at work. However, in this scenario, a breach of the certificate authority system took place.

If a business wishes to use such a proxy to monitor secure traffic, usually, staff computers have to be set to accept and trust the proxy. However, in MCS's case, the proxy was given the full authority of the certificate authority.

The tech giant says other websites may have also been impersonated.

Langley writes:

"This explanation is congruent with the facts. However, CNNIC still delegated their substantial authority to an organization that was not fit to hold it."

In another, separate post on the Mozilla Security blog, the firm states:

"While this is not a Firefox-specific issue, to protect our users we are adding the revoked certificate to OneCRL, our mechanism for directly sending revocation information to Firefox which will be shipping in Firefox 37."

Google has assured users there has been no indication of abuse and Chrome users do not need to take any action including changing passwords.

Read on: In the world of security