Slashdot Mirror

← Back to Stories (view on slashdot.org)

Chinese CA Issues Certificates To Impersonate Google

Posted by Soulskill on from the doing-trust-wrong dept.

Trailrunner7 writes: Google security engineers, investigating fraudulent certificates issued for several of the company's domains, discovered that a Chinese certificate authority was using an intermediate CA, MCS Holdings, that issued the unauthorized Google certificates, and could have issued certificates for virtually any domain. Google's engineers were able to block the fraudulent certificates in the company's Chrome browser by pushing an update to the CRLset, which tracks revoked certificates. The company also alerted other browser vendors to the problem, which was discovered on March 20. Google contacted officials at CNNIC, the Chinese registrar who authorized the intermediate CA, and the officials said that they were working with MCS to issue certificates for domains that it registered. But, instead of simply doing that, and storing the private key for the registrar in a hardware security module, MCS put the key in a proxy device designed to intercept secure traffic.

2 of 139 comments (clear)

  1. Re:Are the CAs that do this revoked? by RelaxedTension · · Score: 4, Informative

    Yup, same as DigiNotar. This company is no longer trustworthy, regardless of if this happened on purpose, or due to being incompetent.

  2. Re:The Web of trust only works by Feral+Nerd · · Score: 3, Informative

    The Web of trust only works ... When we all agree to the same rules.

    The CA system is broken.Trusting many different CAs has proven to be a bad idea since any CA can issue a certificate for any domain name they please like these guys did plus the fact that many CAs have suffered serious security breaches. What we've needed for years is some sort of DNS like system for certificates where certificates can be revoked and the action will be cascaded through the entire net quickly like domain name changes. There even have been proposals to use DNS for this purpose which as far as I understand it would render CAs redundant. Under the current system Google can only remove the certificates from the CA Root lists Google controls if the bad certificates have made it into those, and politely request that others who maintain CA Root lists do the same. I can only theorise that CA reform has proven problematic since implementing such a system would be taking a bowl of soup from the cauldron of certain set of people who have an interest in maintaining the old system and have resisted reform. I can't imagine any other reason why the certificate system hasn't been changed.