Egyptian company says rogue Google SSL certificates were a mistake

26 Mar 2015 | Author: | No comments yet »

Egyptian company says rogue Google SSL certificates were a mistake.

An Egyptian company that created unauthorized digital certificates for several Google domains said Wednesday it made a mistake and acted quickly when the error became known. Beijing: China’s cyberspace administration is “complicit” in attacks on major internet companies including Google, an anti-censorship group said Wednesday, calling on firms worldwide to strengthen their defences.

The SSL/TLS (Secure Sockets Layers/Transport Layer Security) certificates would have allowed MCS Holdings of Cairo to decrypt traffic sent by users on its network to Google, a major privacy concern. GreatFire.org, which operates websites seeking to circumvent China’s vast censorship apparatus, pointed to statements by Google, Microsoft and Mozilla as showing the Chinese government was involved in so-called “man-in-the-middle” operations. Such attacks involve an unauthorised intermediary inserting themselves between computer users and their online destinations, usually undetected, allowing them to harvest data traffic including passwords.

GreatFire.org said the firms’ statements amounted to “concrete evidence” the Cyberspace Administration of China (CAC) — the government’s internet authority — and the China internet Network Information Centre (CNNIC) — the administrator — were “behind these malicious actions and are endangering safety and security on the internet for everyone”. That’s bad, because any browser accessing these domains via transport layer security (TLS; the latest security protocol, and a successor to SSL) counts on a certificate in order to be sure that it’s connecting with the real McCoy, not some imposter. It appears MCS and a Certificate Authority (CA) in China both made mistakes, which highlight ongoing problems in the way digital certificates are issued. The ruling Communist Party maintains tight controls over the internet, blocking websites it deems politically sensitive in a system dubbed the “Great Firewall of China” and obliging social media companies to censor user-generated content.

At the same time, Washington and Beijing regularly trade accusations of hacking, with FBI director James Comey declaring last October that China was at the “top of the list” of countries launching cyberattacks on US firms. What they should do is to press ahead with talks on forming cyber rules and to maintain cybersecurity.” Last week GreatFire.org said it had been hit by a barrage of automated requests known as a distributed denial of service attack in an attempt to bring down its anti-censorship services.

Chrome on Windows, OS X, and Linux, ChromeOS, and Firefox 33 and greater would have rejected these certificates because of public-key pinning, although misissued certificates for other sites likely exist. That’s because browsers are coded to trust vetted CAs, and the browsers will not generate a warning if a website carries a certificate from a known, trusted party. Mozilla, for example, requires that intermediate digital certificates must be publicly disclosed or subject to audits, or else technically constrained to prevent them from being abused. Discussions are underway on whether CNNIC should be removed from the CAs trusted by Mozilla, or if the organization’s certificates should be limited to .cn domains only.

Google pulls no punches in its assessment of the situation, calling it “a serious breach of the CA [certificate authority] system” and blaming CNNIC for having “delegated their substantial authority to an organization that was not fit to hold it.” Do you need to worry? While Google did not say which domains were affected, it noted that it has fixed the problem, that Chrome users do not need to take any further action, and that it is considering whether further responses are necessary. Those type of man-in-the-middle proxies will terminate an SSL connection so encrypted traffic can be inspected, a security measure performed by some organizations. Ars Technica noted that Mozilla will be revoking the intermediate certificate for MCS in the upcoming version of Firefox, version 37, which should take care of the risk for Firefox users, as long as they upgrade.

Update: The headline of this story was updated to clarify that Google discovered the fake digital certificates, not that the company’s security was impacted. Google, which uses a technique called certificate key pinning to detect unauthorized certificates, discovered the problem March 20 and notified CNNIC, according to a blog post Monday. MCS Holdings said the incident was a “human mistake” that occurred in its lab when one of its employees was browsing the Internet using Google’s Chrome browser.

Here you can write a commentary on the recording "Egyptian company says rogue Google SSL certificates were a mistake".

* Required fields
Twitter-news
Our partners
Follow us
Contact us
Our contacts

dima911@gmail.com

ICQ: 423360519

About this site