Microsoft blacklists latest rogue SSL certificates

25 Mar 2015 | Author: | No comments yet »

Google warns of fake digital certificates issued for its domains and potentially others (Updated).

Anyone with these dodgy certificates could set up a web server that masquerades as a legit Google site, and redirect people to the fake site by hijacking their DNS.

Chrome and the latest Firefox web browsers should detect the interception, and refuse to talk to the server, but other browsers may have continued to the bogus websites none the wiser, allowing passwords, emails, and other details to slip into the wrong hands. MCS, an intermediate certificate authority based in Egypt, created the dodgy Google certificates and issued them to companies so IT admins can intercept and inspect employees’ encrypted internet traffic to Google servers while at work, it’s claimed.

That’s bad, because any browser accessing these domains via transport layer security (TLS; the latest security protocol, and a successor to SSL) counts on a certificate in order to be sure that it’s connecting with the real McCoy, not some imposter. If you or I were to create a SSL certificate, and plonk it on a website dressed up to look like a Gmail login page, no browser would trust it because it is disconnected from the chain of trust that holds the world of SSL together – the HTTPS connection would be rejected. It’s feared MCS has issued certs for other websites so bosses can snoop on staff; the ease at which bogus certificates can be issued, and perhaps stolen and used in the wild, concerns security experts. Chrome on Windows, OS X, and Linux, ChromeOS, and Firefox 33 and greater would have rejected these certificates because of public-key pinning, although misissued certificates for other sites likely exist. Google and Firefox-maker Mozilla have instructed their software to reject the dodgy certificates. “We have no indication of abuse and we are not suggesting that people change passwords or take other action,” Langley said. “At this time we are considering what further actions are appropriate.” ®

Google pulls no punches in its assessment of the situation, calling it “a serious breach of the CA [certificate authority] system” and blaming CNNIC for having “delegated their substantial authority to an organization that was not fit to hold it.” Do you need to worry? While Google did not say which domains were affected, it noted that it has fixed the problem, that Chrome users do not need to take any further action, and that it is considering whether further responses are necessary.

Ars Technica noted that Mozilla will be revoking the intermediate certificate for MCS in the upcoming version of Firefox, version 37, which should take care of the risk for Firefox users, as long as they upgrade. Update: The headline of this story was updated to clarify that Google discovered the fake digital certificates, not that the company’s security was impacted.

Here you can write a commentary on the recording "Microsoft blacklists latest rogue SSL certificates".

* Required fields
All the reviews are moderated.
Our partners
Follow us
Contact us
Our contacts

ICQ: 423360519

About this site