Mar272015
NewsSecurityCapture - sq

Fake SSL Certificate

 

Hawk like an Egyptian: Google is HOPPING MAD over fake SSL certs; Security company MCS Holdings has created an unauthorised SSL certificate on some Google-owned websites. If someone had these dodgy certificates, they could, in theory, set up a fake Google site and hijack their DNS to redirect them to the fake site. Chrome and Firefox web browsers should detect the interceptions and refuse to talk to the server. Still, other browsers may have continued to browse the bogus websites without noticing, allowing passwords, emails, and further details to slip through their fingers. A dodgy Google certificate could be sold to corporate IT departments, allowing administrators to spy on employees’ encrypted internet traffic to Google servers since MCS is an intermediate certificate authority based in Egypt. At this point, no indication has been made that the certificates were misused.

 

Google’s certificates are crafted using intermediate certificates from CNNIC, a central Chinese certification authority trusted by most browsers and operating systems. You or I would not be able to charge a website dressed up as a Gmail login page if we created a gmail.com SSL certificate and placed it there – the HTTPS connection would be rejected because it is disconnected from the chain of trust that holds the world of SSL together. Nevertheless, CNNIC was the trusted authority that ultimately backed the Google domain certificates in MCS. Security experts are concerned that MCS issued certificates for other websites so bosses could spy on staff; they say bogus certificates are easy to print and can be stolen and used in the wild.

 

Ultimately, Chrome and Firefox’s certificate pinning sidestepped the mess of trusting intermediates by avoiding the issue of cryptographic certificate authorities. ACCORDING TO GOOGLE SECURITY ENGINEER ADAM LANGLEY, as CNNIC is listed in all major root stores, the mis issued certificates should be trusted by almost every browser and operating system. Despite the possibility of mis issued certificates for other sites, Chrome on Windows, OS X, and Linux, Chrome OS, and Firefox 33 and greater would have rejected these certificates due to public-key pinning. Google discovered the problem on March 20, which was dealt with by the Chinese certificate authority on March 22 by revoking MCS’ intermediate certificate. Google and Firefox-maker Mozilla have instructed their software to reject dodgy certificates in the future. As far as abuse is concerned, Langley told NPR, “We have no indication of abuse and are not suggesting password changes or other steps.” At this time, she said, “We are considering what additional steps might be necessary.”

 

 

At last, we would like to explore our IT Support London if you live around London and your business needs any IT support.

 

Source: Fake SSL Certificate

Categories: News, Security