Fake certificates for Google domains found
On March 20, 2015, Google received information about the existence of fake digital certificates for several of its domains. Certificates were issued by an intermediate certification authority related to MCS Holdings . The intermediate certificate of this company was issued by CNNIC ( China Internet Network Information Center - the administrative agency that manages the cn domain and is controlled by the Ministry of Information of China).
CNNIC is included in all major lists of trusted certification centers and therefore certificates issued to them are trusted by most browsers and operating systems. Chrome on all operating systems and Firefox versions 33 and older rejects fake certificates for Google domains due to the fact that their public keys are embedded in browser binaries, which, however, does not solve the problem of the likely existence of fake certificates for other domains.
Google promptly notified CNNIC and the developers of other browsers about the incident and blocked all certificates issued by MCS Holdings by updating CRLSet . CNNIC responded on March 22nd and explained that they had an agreement with MCS Holdings that this company will issue certificates only for the domains that will be registered by it. However, instead of storing a private key in a secure hardware store , MCS flashed it into its product, a man-in-the-middle proxy server. These devices made it possible on the fly to generate fake certificates for https resources visited by users, allowing, for example, companies to monitor their employees in such a way that they didn’t suspect that their current connection is not secure. The situation is similar to the case of ANSSI in the 2013th year.
')
This explanation is fully consistent with the facts. However, CNNIC has still not withdrawn the certificate from MCS Holdings, although it is obliged to do so according to all the rules.
Chrome users do not need to do anything due to the fact that they are protected by the latest update CRLSet. Google has no information about the loss of personal data or user passwords.
This incident reaffirms the importance of the Certificate Transparency project to protect the security of certificates in the future.
(Details of the fake certificate chain for software developers are here )
Update : as a result of a joint investigation of this incident by Google and CNNIC, it was decided to exclude the CNNIC Root and EV certificates from the list of trusted Google products. This will be done in the next Chrome update. In order to reduce the damage to end users, for some time these certificates will be considered trusted by Chrome by including them in a temporary white list. Google and CNNIC believe that no more fake certificates will be issued, and those already issued will be used only in the MCS Holdings internal test network. CNNIC will work on the implementation of Certificate Transparency for all its certificates and upon completion of the control improvement procedures will submit an application for re-inclusion in the list of trusted certification centers.
CNNIC is included in all major lists of trusted certification centers and therefore certificates issued to them are trusted by most browsers and operating systems. Chrome on all operating systems and Firefox versions 33 and older rejects fake certificates for Google domains due to the fact that their public keys are embedded in browser binaries, which, however, does not solve the problem of the likely existence of fake certificates for other domains.
Google promptly notified CNNIC and the developers of other browsers about the incident and blocked all certificates issued by MCS Holdings by updating CRLSet . CNNIC responded on March 22nd and explained that they had an agreement with MCS Holdings that this company will issue certificates only for the domains that will be registered by it. However, instead of storing a private key in a secure hardware store , MCS flashed it into its product, a man-in-the-middle proxy server. These devices made it possible on the fly to generate fake certificates for https resources visited by users, allowing, for example, companies to monitor their employees in such a way that they didn’t suspect that their current connection is not secure. The situation is similar to the case of ANSSI in the 2013th year.
')
This explanation is fully consistent with the facts. However, CNNIC has still not withdrawn the certificate from MCS Holdings, although it is obliged to do so according to all the rules.
Chrome users do not need to do anything due to the fact that they are protected by the latest update CRLSet. Google has no information about the loss of personal data or user passwords.
This incident reaffirms the importance of the Certificate Transparency project to protect the security of certificates in the future.
(Details of the fake certificate chain for software developers are here )
Update : as a result of a joint investigation of this incident by Google and CNNIC, it was decided to exclude the CNNIC Root and EV certificates from the list of trusted Google products. This will be done in the next Chrome update. In order to reduce the damage to end users, for some time these certificates will be considered trusted by Chrome by including them in a temporary white list. Google and CNNIC believe that no more fake certificates will be issued, and those already issued will be used only in the MCS Holdings internal test network. CNNIC will work on the implementation of Certificate Transparency for all its certificates and upon completion of the control improvement procedures will submit an application for re-inclusion in the list of trusted certification centers.
Source: https://habr.com/ru/post/255251/
All Articles