Google last week revoked digital certificates for some of its domains that had been fraudulently signed by an intermediate certificate authority with links to France’s cyber-defense agency.
The Agence Nationale de la Sécurité des Systèmes d’Information (ANSSI) claims that the spoofed Google certificates were signed by mistake and that the error had no security impact on either the French government or the general public.
“As a result of a human error which was made during a process aimed at strengthening the overall IT security of the French Ministry of Finance, digital certificates related to third-party domains which do not belong to the French administration have been signed by a certification authority of the DGTrésor (Treasury) which is attached to the [Infrastructure Management Trust Administration],” ANSSI officials published in a bulletin on their website.
Google says it first noticed the unauthorized digital certificates late on Dec. 3 and immediately updated Chrome’s certificate revocation list to block all certs issued by the intermediate authority. Google then informed the ANSSI and the other major browsers about the bad cert as well.
The bad certs were not signed by the ANSSI directly but by an intermediate authority whose certificates were signed by the ANSSI. Certificates issued by intermediate CAs are automatically trusted by browsers if the browsers already trust the root CA that signed intermediate CA’s certificate. In other words, the ANSSI issued a certificate to the offending intermediate CA, granting that intermediate CA permission to carry the full authority of the root CA, which in this case was the ANSSI. It was then the intermediate CA that created a fake certificate spoofing the one that establishes a secure connection with the Google domains in question.
“ANSSI has found that the intermediate CA certificate was used in a commercial device, on a private network, to inspect encrypted traffic with the knowledge of the users on that network,” Google security engineer Adam Langely wrote on Google’s Online Security Blog. “This was a violation of their procedures and they have asked for the certificate in question to be revoked by browsers. We updated Chrome’s revocation metadata again to implement this.”
Google says that it’s actions addressed an immediate security problem for its users.
“Since our priority is the security and privacy of our users, we are carefully considering what additional actions may be necessary,” Google warned.
The ANSSI says that the whole infrastructure management trust administration (IGC/A) process is under review to ensure that “no incident of this kind will ever happen again.”
It is well known the SSL certificate system that establishes trust online is seriously flawed. In an attempt to better the situation, Google initiated the Certificate Transparency project, which is aimed to eliminate these flaws by providing an open framework for monitoring and auditing SSL certificates. Google called this incident a serious breach and says it underscores the need for better certificate transparency.