False certificates were issued by a Cairo-based company in the latest incident affecting SSL
Google has warned that unauthorised digital certificates have been issued for several Google domains and possibly others, which it said could potentially be used by an attacker to impersonate those domains and make them appear secure.
The incident, following on from a similar breach involving Microsoft websites last week, is the latest indication of fundamental weaknesses in the way security certificates are issued, and the difficulty of removing trust in unauthorised certificates when they’re discovered.
The breach involved an intermediate certificate issued by China Internet Network Information Center (CNNIC), a non-profit organisation administered by Cyberspace Administration of China (CAC), to one of its customers, a Cairo-based networking and security company called MCS Holdings.
This intermediate certificate, designated a test certificate and limited to a two-week validity, was loaded into a firewall device, where it was apparently intended to be used to intercept traffic passing between the company’s own internal network and external domains, according to Google.
Such an arrangement, called a man-in-the-middle (MITM) proxy, is commonplace, but in this case the proxy was misconfigured in such a way that when a user inside the company’s network accessed external servers, the firewall issued security certificates for those servers, including those of Google websites, Google said.
While the mis-issued certificates appear only to have been applied to traffic passing within MCS’ own internal network, the fact remains that such unauthorised certificates represent “a serious breach of the CA system”, wrote Google security engineer Adam Langley in an advisory.
“CNNIC… delegated their substantial authority to an organisation that was not fit to hold it,” Langley added.
Langley said it discovered the certificates on 20 March and immediately contacted CNNIC, while also blocking the MCS Holdings certificate in its Chrome browser.
The certificate was also blocked in Mozilla Firefox 33 and greater through a mechanism called public key pinning, Mozilla said. The company added that the certificate will be permanently blocked in Firefox version 37.
“An attacker armed with a fraudulent SSL certificate and an ability to control their victim’s network could impersonate websites in a way that would be undetectable to most users,” Mozilla said in an advisory. “Such certificates could deceive users into trusting websites appearing to originate from the domain owners, but actually containing malicious content or software.”
However, Mozilla added that, like Google, it believes “this MITM instance was limited to CNNIC’s customer’s internal network”.
US-based certificate authority Trustwave was criticised in 2012 over a similar incident that resulted in mis-issued certificates, and Google also alluded to a similar incident involving France-based certificate authority ANSSI in 2013.
The breach involving Microsoft’s live.fi domain last week, on the other hand, seems to have been due to a security failure on Microsoft’s part, but also highlighted the ease with which it is possible for hackers to acquire false certificates.
Google held out its Certificate Transparency project, aimed at quickly detecting mistakenly issued or fraudulent security certificates, as a possible solution to the problem.
Are you a security pro? Try our quiz!