Google warns of unauthorized TLS certificates trusted by almost all OSes [Updated]

In the latest security lapse involving the Internet's widely used encryption system, Google said unauthorized digital certificates have been issued for several of its domains and warned misissued credentials may be impersonating other unnamed sites as well.

The bogus transport layer security certificates are trusted by all major operating systems and browsers, although a fall-back mechanism known as public key pinning prevented the Chrome and Firefox browsers from accepting those that vouched for the authenticity of Google properties, Google security engineer Adam Langley wrote in a blog post published Monday. The certificates were issued by Egypt-based MCS Holdings, an intermediate certificate authority that operates under the China Internet Network Information Center (CNNIC). The Chinese domain registrar and certificate authority, in turn, is included in root stores for virtually all OSes and browsers.

The issuance of the unauthorized certificates represents a major breach of rules established by certificate authorities and browser makers. Under no conditions are CAs allowed to issue certificates for domains other than those legitimately held by the customer requesting the credential. In early 2012, critics blasted US-based CA Trustwave for doing much the same thing, and Langley noted an example of a France-based CA that has also run afoul of the policy.

Langley wrote:

We promptly alerted CNNIC and other major browsers about the incident, and we blocked the MCS Holdings certificate in Chrome with a CRLSet push. CNNIC responded on the 22nd to explain that they had contracted with MCS Holdings on the basis that MCS would only issue certificates for domains that they had registered. However, rather than keep the private key in a suitable HSM, MCS installed it in a man-in-the-middle proxy. These devices intercept secure connections by masquerading as the intended destination and are sometimes used by companies to intercept their employees’ secure traffic for monitoring or legal reasons. The employees’ computers normally have to be configured to trust a proxy for it to be able to do this. However, in this case, the presumed proxy was given the full authority of a public CA, which is a serious breach of the CA system. This situation is similar to a failure by ANSSI in 2013.

This explanation is congruent with the facts. However, CNNIC still delegated their substantial authority to an organization that was not fit to hold it.

Chrome users do not need to take any action to be protected by the CRLSet updates. We have no indication of abuse and we are not suggesting that people change passwords or take other action. At this time we are considering what further actions are appropriate.

On Twitter, Langley added: "We understand that the MITM proxy was owned and operated by MCS Holdings and it only saw traffic from their clients."

A separate blog post from Mozilla officials said the intermediate certificate issued to MCS holdings will be revoked in the upcoming Firefox version 37. The post went on to say:

Issue

China Internet Network Information Center (CNNIC), a non-profit organization administrated by Cyberspace Administration of China (CAC), operates the “CNNIC Root” and “China Internet Network Information Center EV Certificates Root” certificates that are included in NSS, and used to issue certificates to organizations and the general public. CNNIC issued an unconstrained intermediate certificate that was labeled as a test certificate and had a two week validity, expiring April 3, 2015. Their customer loaded this certificate into a firewall device which performed SSL MITM, and a user inside their network accessed other servers, causing the firewall to issue certificates for domains that this customer did not own or control. Mozilla’s CA Certificate Policy prohibits certificates from being used in this manner when they chain up to a root certificate in Mozilla’s CA program.

Impact

An intermediate certificate that is used for MITM allows the holder of the certificate to decrypt and monitor communication within their network between the user and any website without browser warnings being triggered. An attacker armed with a fraudulent SSL certificate and an ability to control their victim’s network could impersonate websites in a way that would be undetectable to most users. Such certificates could deceive users into trusting websites appearing to originate from the domain owners, but actually containing malicious content or software. We believe that this MITM instance was limited to CNNIC’s customer’s internal network.

Ars is in the process of reaching out to officials at Microsoft to ask if they have plans to blacklist the misissued Google certificates or is aware of any other unauthorized credentials. This post will be updated if they respond. Update: In an advisory published Tuesday, Microsoft said it has updated its certificate trust list to revoke all MCS Holdings credentials. Additionally, the post said the domains in the misissued certificates included *.google.com, *.google.com.eg, *.g.doubleclick.net, *.gstatic.com, www.google.com, www.gmail.com, and *.googleapis.com.

The incident underscores two fundamental weaknesses with the currently implemented system the entire Internet relies on to encrypt sensitive data and to prove websites and e-mail servers belong to the people or organizations claiming ownership. First, with hundreds of authorities directly or indirectly trusted by all major OSes, all it takes is one rogue or lax CA to compromise the security of the entire system. Second, once that security has been compromised, there is no sure way to revoke certificates short of each OS or browser maker issuing its own update. The Internet got a refresher course in these structural weaknesses last week, when an oversight at Microsoft allowed one man to obtain an unauthorized certificate for live.fi and another man to receive bogus certificates for live.be.

Defenders of the current system for acquiring and revoking TLS certificates have recently chafed in response to statements from this author that it's hopelessly broken. Besides remembering that almost all of these critics have a strong financial interest in the way the system works now, consider this: after more than a decade of breaches, the system can be and occasionally still is crippled by a single point of failure that requires patches from multiple software providers. In Monday's post, Langley held out certificate transparency as one potential antidote. Other possible remedies include a more streamlined form of certificate pinning and several proposals similarly aimed at mending the most serious holes.

Post updated to avoid the phrase "TLS system."