Chinese CA Issues Certificates To Impersonate Google

← Back to Stories (view on slashdot.org)

Chinese CA Issues Certificates To Impersonate Google

Posted by Soulskill on Tuesday March 24, 2015 @05:54AM from the doing-trust-wrong dept.

Trailrunner7 writes: Google security engineers, investigating fraudulent certificates issued for several of the company's domains, discovered that a Chinese certificate authority was using an intermediate CA, MCS Holdings, that issued the unauthorized Google certificates, and could have issued certificates for virtually any domain. Google's engineers were able to block the fraudulent certificates in the company's Chrome browser by pushing an update to the CRLset, which tracks revoked certificates. The company also alerted other browser vendors to the problem, which was discovered on March 20. Google contacted officials at CNNIC, the Chinese registrar who authorized the intermediate CA, and the officials said that they were working with MCS to issue certificates for domains that it registered. But, instead of simply doing that, and storing the private key for the registrar in a hardware security module, MCS put the key in a proxy device designed to intercept secure traffic.

9 of 139 comments (clear)

Min score:

Reason:

Sort:

The Web of trust only works by Virtucon · 2015-03-24 05:57 · Score: 5, Insightful

When we all agree to the same rules.

--
Harrison's Postulate - "For every action there is an equal and opposite criticism"
1. Re:The Web of trust only works by Anonymous+Brave+Guy · 2015-03-24 08:08 · Score: 4, Insightful
  
  Trusting many different CAs has proven to be a bad idea
  Trusting any one of many different CAs has obvious vulnerabilities, as this case demonstrates (and it's not exactly the first time the problem of an untrustworthy CA has been observed in the wild). The current CA system isn't really a web of trust, because it ultimately depends on multiple potential single points of failure.
  One way or another, in the absence of out-of-band delivery of appropriate credentials, you have to trust someone, so I suspect the pragmatic approach is to move to a true web-of-trust system, where you trust a combination of sources collectively but never trust any single source alone, and where mistrust can also be propagated through the system. Then at least you can still ship devices/operating systems/browsers seeded with a reasonable set of initial sources you trust, but any single bad actor can quickly be removed from the trust web by consensus later while no single bad actor can undermine the credibility of the web as a whole. Such a system could still allow you to independently verify that the identity of a system you're talking to via out-of-band details if required.
  
  --
  If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
Re:Are the CAs that do this revoked? by BenJeremy · 2015-03-24 06:12 · Score: 5, Insightful

THIS.
Make an example out of them, at the very least. I doubt MCS or CNNIC will do anything to disengage themselves from the Chinese government (Most likely culprit here). Revoke their authority and put an end to this nonsense.
Re:Google wants a monopoly... by Shoten · 2015-03-24 06:20 · Score: 5, Insightful

...on processing of your private information. It is in its interests to make sure everything is secure until the moment it reaches their servers.
And if you live there, China wants a monopoly on knowing your private information...plus incarcerating you and even killing you to harvest your transplantable organs should it find that it doesn't like something it learns about you. Like that you think Tibet should be free. Or if you worship the wrong god.
Please do try to keep a sense of perspective?

--

For your security, this post has been encrypted with ROT-13, twice.
Re:One-sided relationship by nitehawk214 · 2015-03-24 06:31 · Score: 4, Insightful

Because American voters can't see past the end of their noses. If congress enacted laws that increased prices on their Wallmart goods, they would be voted out so fast. Coupled with this the fact that the lobbies of corporations want to keep the status quo that keeps them rich.

--
I'm a good cook. I'm a fantastic eater. - Steven Brust
Re:Are the CAs that do this revoked? by Anonymous Coward · 2015-03-24 06:35 · Score: 5, Insightful

So are we going to revoke Verisign's root CA certificate (and screw up the millions of websites that use their certs) when we eventually find out that the NSA strong-armed them into doing the same thing?
Re:Are the CAs that do this revoked? by Holi · 2015-03-24 06:38 · Score: 5, Insightful

If we are serious about trust then yes, otherwise this isn't the beginning of the end, it's just the end. If the cert's cannot be trusted and we are not willing to take the steps to preserve that trust then the whole internet economy goes poof.

--
Sorry, teleporters just kill you and then make a copy. A perfect, soul-less copy.
Re:Bet the US can as well ... by SuricouRaven · 2015-03-24 06:42 · Score: 4, Insightful

The big difference is that China got caught. I'm sure the US has this capability too - but they use it only in targeted intercepts, so as to maintain deniability.
Revoke the certs by Imagix · 2015-03-24 06:52 · Score: 5, Insightful

At a _minimum_ MCS's rights need to be revoked. There needs to be an independent audit of any cert that CNNIC has issued _at CNNIC's expense_, and of their operations (both CNNIC, and the organizations to which they've issued certs), or CNNIC should have its rights revoked as well. MCS is completely untrustable, and CNNIC has to prove that they are currently trustable. CNNIC's operations need to be audited or they may just turn around an issue a new cert to MCS. (Or "MCS" with a new name)