In-brief: Google warned its users that unauthorized digital certificates have been issued for several of its domains. The certificates are linked to an intermediary certificate authority for CNNIC, which administers China’s domain name registry.
Updated with comment from Kevin Bocek of Venafi. Paul 3/27/2015
Google is warning its users that unauthorized digital certificates have been issued for several of its domains. The certificates, issued by an intermediary certificate authority for the China Internet Network Information Center (CNNIC) may be used to impersonate official Google sites and other, as-yet unnamed Internet destinations.
In a blog post on Monday, Google said that on March 20th, the company became aware that unauthorized digital certificates for several Google domains were circulating.
The certificates were issued by an intermediate certificate authority apparently held by a company called MCS Holdings. The intermediate certificate for MCS was issued by CNNIC, which administers China’s domain name registry and the “.CN” country code top level domain.
Google notes that CNNIC is included in all major root stores “and so the misissued (sp) certificates would be trusted by almost all browsers and operating systems.”
However, the company’s Chrome browser and Mozilla’s Firefox 33 and greater would have rejected the certificates and issued warnings to users. Those browsers use a strategy called “public-key pinning” in which specific web sites specify which Certificate Authorities have issued valid certificates for that site. TLS connections to those sites are rejected if they use a certificate that was not issued by a “known-good” certificate authority.
Google said it alerted CNNIC and other major browsers about the incident and blocked the MCS Holdings certificate in Chrome.
According to Google, CNNIC responded on the 22nd to explain that they had “contracted with MCS Holdings on the basis that MCS would only issue certificates for domains that they had registered. However, rather than keep the private key in a suitable HSM, MCS installed it in a man-in-the-middle proxy.”
Products such as security appliances may intercept and terminate secure connections by masquerading as the intended destination. The decrypted traffic can then be analyzed. Typically, the users computers would have to be configured to trust a proxy for it to be able to do this. “However, in this case, the presumed proxy was given the full authority of a public CA, which is a serious breach of the CA system,” Google noted. CNNIC’s explanation seems to fit with the facts that Google observed. But the company said China’s chief CA “still delegated their substantial authority to an organization that was not fit to hold it.”
Google said it didn’t have any evidence of abuse and isn’t calling on users to change passwords or take other actions. But Google is “considering what further actions are appropriate.”
“Venafi predicted this would happen months ago when it was announced that Lu Wei, also known as China’s web doorkeeper, would be appointed China’s new Internet czar and head of CNNIC,” said Kevin Bocek, the Vice President of Security Strategy and Threat Intelligence at Venafi.
“CNNIC is included in all browsers, smartphones, and tablets. The laptop on your desk and mobile phone in your pocket trust the Chinese government — the same government conducting cyber espionage on a daily basis against U.S. companies and government agencies,” he said.
Bocek, whose company sells technology that secures cryptographic keys and digital certificates, said the incident is more evidence that steps must be taken to reduce the exposure that companies and individuals have to untrusted CAs or those that might be easily compromised.
The incident is similar to one in July, in which Google also spotted unauthorized certificates for Google domains that were issued by National Informatics Centre (NIC) of India, As it did on Monday, Google issued public warnings about the discovery and revoked the certificates in question.
Last month, PC maker Lenovo was on the receiving end of complaints about its partnership with Superfish, a visual search engine that opened a dangerous security hole on Lenovo PCs: installing a root Certificate Authority that gave the adware the ability to impersonate any SSL-enabled site.
Bocek said these incidents are “just the tip of the iceberg. “
“There are likely many, many more unauthorized certificates that have been fraudulently obtained or issued without authorization to conduct spoofing and man-in-the-middle attacks,” he told Security Ledger.