Security Advisor

Google Issues Warning on Rogue Chinese Digital TLS Certs

The company has warned that the bogus Internet certs could be used in man-in-the-middle attacks.

On Friday Google spotted unauthorized digital certificates for many of its domains that had been issued from Egypt. While Google did not see any misuse of the impersonated encryption certs, the company said the possibility was real for attackers to use them to intercept and monitor online traffic, according to a blog post on Monday.

According to the company, the bogus certificates, which are trusted by all major browsers and OSes, were issued by an Egypt-based intermediate cert authority named MCS Holdings, which operates under the China Internet Network Information Center (CNNIC) -- a trusted nonprofit security certificate verification organization. CNNIC is also responsible for all Internet issues and is an extension of the Ministry of Information Industry for the Chinese government.

When Google contacted CNNIC about the bad certs, the company said that MCS only issued certificates for domains registered by the Chinese Internet center. However, researchers at Google did not find this to be the case.

"However, rather than keep the private key in a suitable HSM, MCS installed it in a man-in-the-middle proxy," wrote Adam Langley, security engineer for Google. "These devices intercept secure connections by masquerading as the intended destination and are sometimes used by companies to intercept their employees' secure traffic for monitoring or legal reasons. The employees' computers normally have to be configured to trust a proxy for it to be able to do this. However, in this case, the presumed proxy was given the full authority of a public CA [certificate authority], which is a serious breach of the CA system."

Along with alerting other tech vendors, including Microsoft and Apple, to the potentially dangerous certs, Google said that its Chrome Web browser running on any other platform would have automatically rejected the certificates thanks to the browser's built-in public key pinning security feature.

Mozilla also issued a statement saying that the next version of its Firefox browser (Firefox 37) will automatically revoke the certs issued by CNNIC and may conduct a security audit to confirm that "the CA updated their procedures, and using name constraints to constrain the CA's hierarchy to certain domains."

Microsoft has yet to comment on any actions it may be planning to take to block the rogue certs in Internet Explorer or Windows. According to the company's modern.IE developer site, a similar public key pinning feature found in Chrome is currently being considered for future versions of Internet Explorer.

About the Author

Chris Paoli is the site producer for Redmondmag.com and MCPmag.com.

Featured

  • Windows Admin Center vs. Hyper-V Manager: What's Better for Managing VMs?

    Microsoft's preferred interface for Windows Server is Windows Admin Center, but can it really replace Hyper-V Manager for managing virtual machines? Brien compares the two management tools.

  • Microsoft Offers More Help on Windows Server 2008 Upgrades

    Microsoft this week published additional help resources for organizations stuck on Windows Server 2008, which fell out of support on Jan. 14.

  • Microsoft Ups Its Carbon Reduction Goals

    Microsoft on Thursday announced a corporatewide carbon reduction effort that aims to make the company "carbon negative" by 2030.

  • How To Dynamically Lock Down an Unattended Windows 10 PC

    One of the biggest security risks in any organization happens when a user walks away from their PC without logging out. Microsoft has the solution (and it's not a password-protected screensaver).

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.