Security Advisor

Google Issues Warning on Rogue Chinese Digital TLS Certs

The company has warned that the bogus Internet certs could be used in man-in-the-middle attacks.

On Friday Google spotted unauthorized digital certificates for many of its domains that had been issued from Egypt. While Google did not see any misuse of the impersonated encryption certs, the company said the possibility was real for attackers to use them to intercept and monitor online traffic, according to a blog post on Monday.

According to the company, the bogus certificates, which are trusted by all major browsers and OSes, were issued by an Egypt-based intermediate cert authority named MCS Holdings, which operates under the China Internet Network Information Center (CNNIC) -- a trusted nonprofit security certificate verification organization. CNNIC is also responsible for all Internet issues and is an extension of the Ministry of Information Industry for the Chinese government.

When Google contacted CNNIC about the bad certs, the company said that MCS only issued certificates for domains registered by the Chinese Internet center. However, researchers at Google did not find this to be the case.

"However, rather than keep the private key in a suitable HSM, MCS installed it in a man-in-the-middle proxy," wrote Adam Langley, security engineer for Google. "These devices intercept secure connections by masquerading as the intended destination and are sometimes used by companies to intercept their employees' secure traffic for monitoring or legal reasons. The employees' computers normally have to be configured to trust a proxy for it to be able to do this. However, in this case, the presumed proxy was given the full authority of a public CA [certificate authority], which is a serious breach of the CA system."

Along with alerting other tech vendors, including Microsoft and Apple, to the potentially dangerous certs, Google said that its Chrome Web browser running on any other platform would have automatically rejected the certificates thanks to the browser's built-in public key pinning security feature.

Mozilla also issued a statement saying that the next version of its Firefox browser (Firefox 37) will automatically revoke the certs issued by CNNIC and may conduct a security audit to confirm that "the CA updated their procedures, and using name constraints to constrain the CA's hierarchy to certain domains."

Microsoft has yet to comment on any actions it may be planning to take to block the rogue certs in Internet Explorer or Windows. According to the company's modern.IE developer site, a similar public key pinning feature found in Chrome is currently being considered for future versions of Internet Explorer.

About the Author

Chris Paoli (@ChrisPaoli5) is the associate editor for Converge360.


comments powered by Disqus

Subscribe on YouTube