Establishing Digital Trust: Don't Sacrifice Security for Convenience
The purpose of an SSL/TLS digital certificate is to provide a degree of authenticity and integrity to an encrypted connection. The SSL/TLS certificate helps users positively identify sites, but what happens when a certificate is wrongly issued? Just ask Google, which has more experience than most in dealing with this issue.
On March 23 Google reported that unauthorized certificates for Google domains were issued by MCS Holdings, which is an intermediate certificate authority under CNNIC. Because CNNIC is a trusted CA that is included in every major Web browser, the certificate might have been trusted by default, even though it wasn't legitimate.
Google, thanks to its own past experience, leverages HTTP public key pinning (HPKP) in Chrome and Firefox. With HPKP, sites can "pin" certificates that they will allow. As such, fraudulent certificates not pinned by Google would not be accepted as authentic.
Browsers that don't support HPKP in the same way, including Apple Safari and Microsoft Internet Explorer, might have been potentially tricked by the fraudulent certificates, however.
"We promptly alerted CNNIC and other major browsers about the incident, and we blocked the MCS Holdings certificate in Chrome with a CRLSet push," Google Security Engineer Adam Langley wrote in a blog post. "Chrome users do not need to take any action to be protected by the CRLSet updates."https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=i
Google uses CRLset, a certificate revocation list, to get certificates to be untrusted by the Chrome browser. Google has no indication that the fraudulent certificates were actually used in an attack, Langley added.
As to how and why CNNIC let an unauthorized Google certificate be issued, CNNIC said that MCS was using the certificate as a man-in-the-middle proxy.
"These devices intercept secure connections by masquerading as the intended destination and are sometimes used by companies to intercept their employees’ secure traffic for monitoring or legal reasons," Langley explained.
Langley said that since the proxy had a certificate issued by a public CA, the employee connections trusted the proxy.
CCNIC joins a growing list of CAs that have issued fraudulent certificates for Google over the past few years. Comodo in 2011 and Turktrust in 2013 also issued fraudulent Google certificates via intermediaries.
Sean Michael Kerner is a senior editor at eSecurityPlanet and InternetNews.com. Follow him on Twitter @TechJournalist.