Google security engineers, investigating fraudulent certificates issued for several of the company’s domains, discovered that a Chinese certificate authority was using an intermediate CA, MCS Holdings, that issued the unauthorized Google certificates, and could have issued certificates for virtually any domain.
Google’s engineers were able to block the fraudulent certificates in the company’s Chrome browser by pushing an update to the CRLset, which tracks revoked certificates. The company also alerted other browser vendors to the problem, which was discovered on March 20. Google contacted officials at CNNIC, the Chinese registrar who authorized the intermediate CA, and the officials said that they were working with MCS to issue certificates for domains that it registered.
But, instead of simply doing that, and storing the private key for the registrar in a hardware security module, MCS put the key in a proxy device designed to intercept secure traffic.
“CNNIC responded on the 22nd to explain that they had contracted with MCS Holdings on the basis that MCS would only issue certificates for domains that they had registered. However, rather than keep the private key in a suitable HSM, MCS installed it in a man-in-the-middle proxy. These devices intercept secure connections by masquerading as the intended destination and are sometimes used by companies to intercept their employees’ secure traffic for monitoring or legal reasons,” Google’s Adam Langley said in a blog post Monday.
“The employees’ computers normally have to be configured to trust a proxy for it to be able to do this. However, in this case, the presumed proxy was given the full authority of a public CA, which is a serious breach of the CA system.”
Langley said that although the certificate is blocked in Chrome and the other browser vendors are aware of the problem, that may not be the end of it. The CNNIC authority is trusted by all of the major browsers.
“CNNIC is included in all major root stores and so the misissued certificates would be trusted by almost all browsers and operating systems. Chrome on Windows, OS X, and Linux, ChromeOS, and Firefox 33 and greater would have rejected these certificates because of public-key pinning, although misissued certificates for other sites likely exist,” Langley said.
Mozilla officials said they have pushed an update in the OneCRL function in Firefox to revoke trust in the unauthorized MCS certificate. The
“China Internet Network Information Center (CNNIC), a non-profit organization administrated by Cyberspace Administration of China (CAC), operates the “CNNIC Root” and “China Internet Network Information Center EV Certificates Root” certificates that are included in NSS, and used to issue certificates to organizations and the general public. CNNIC issued an unconstrained intermediate certificate that was labeled as a test certificate and had a two week validity, expiring April 3, 2015. Their customer loaded this certificate into a firewall device which performed SSL MITM, and a user inside their network accessed other servers, causing the firewall to issue certificates for domains that this customer did not own or control,” Mozilla’s Kathleen Wilson said in a blog post.
The CNNIC issue is very similar to a problem that arose in 2013 with French CA ANSSI. In that case, an intermediate CA also issued unauthorized certificates for some Google domains, using the trust placed in ANSSI, the higher-level CA. The intermediate CA also was used in a man-in-the-middle proxy device.
“ANSSI has found that the intermediate CA certificate was used in a commercial device, on a private network, to inspect encrypted traffic with the knowledge of the users on that network. This was a violation of their procedures and they have asked for the certificate in question to be revoked by browsers. We updated Chrome’s revocation metadata again to implement this,” Langley said at the time.
The latest case of fraudulent certificate issuance highlights one of the key weaknesses in the CA system: Every certificate authority has the power to issue certificates for any domain. It’s a problem that has arisen time and again over the years, and experts have yet to find a suitable solution.