Hawk like an Egyptian: Google is HOPPING MAD over fake SSL certs Google says security biz MCS Holdings has created unauthorized SSL certificates for some Google-owned websites. Anyone with these dodgy certificates could, in theory, set up a web server that masquerades as a legit Google site, and redirect people to the fake site by hijacking their DNS. Chrome and the latest Firefox web …
Depends on your local legislation, and your company policies of allowed uses of company equipment. Some searches could violate both. Also, using personal accounts and web mails for company material is one of the biggest security holes in many companies - and yet you can't easily disable wholly access to those account and sites.
Just, in any company where you can deploy your own CAs, there's really no need to obtain a certificate from an external one to intercept SSL traffic. Most proxies can now do it easily.
Depends on your local legislation, and your company policies of allowed uses of company equipment. Some searches could violate both.
That doesn't mean undermining the public PKI to intercept encrypted Google requests isn't malicious. Possible illegality or violation of organization policy by the users doesn't vacate the malice on the part of the snoopers. It may make the snooping legal; it doesn't make it good.
Perhaps you're familiar with a little maxim about two wrongs?
This is all a bit fishy, if the companies own the machines in question then they can self-sign and include their own self-signed certificate in their own machine's certificate stores. If it is BYOD, then ditto, if it is personal machines (for example phones using the wi-fi) then separate them out from the work machines. Getting dodgily signed certificates that will get Google all riled up at you, the Intermediate CA, and the root CA, sounds like a sledgehammer to crack a nut.
"This is all a bit fishy, if the companies own the machines in question then they can self-sign and include their own self-signed certificate in their own machine's certificate stores."
True, but I'm guessing this is aimed at small companies without the resources to do their own CA. To you and me it's not that hard to do, but I can think of several small business owners I know that wouldn't have the slightest idea.
That being said, I'd be shocked, SHOCKED! if given the locations of the CAs we're talking about (China and Egypt, right?) there wasn't something else going on.
Came here to say the same about self certs - if you control the machines. The comment about China doesn't make sense - they could've just issued the certs themselves if they wanted them. More likely is that someone with a hold over the company in Egypt wanted to spy on machines that they don't own.
More to the point is the number of organisations with their hooks in private companies, plus the number of data breaches, means that even if SSL wasn't broken it almost wouldn't matter.
True, but I'm guessing this is aimed at small companies without the resources to do their own CA. To you and me it's not that hard to do, but I can think of several small business owners I know that wouldn't have the slightest idea.
Many small businesses don't have the resources to wash their own windows, or change the oil in their vehicles. So they pay someone else to do it for them.
IT in all its guises is no different - it's just that many businesses think that getting a favourite nephew in to do the job is a viable approach...
Vic.
Consider employees that suspect their employer. Such employees can check the certificate chain, see the self-signed cert, and refrain from creating additional traffic for their employer to snoop. By spoofing the normal certificate chain, the employer creates a false sense of security.
The big issue is that the intermediate CA had no right to emit those certificates. The biggest hole in the whole PKI cert affair is that as long as selling certificates is just a business, someone will try to make more money selling certificates to anyone without proper diligence. It happened with domains, where spammers and crooks can buy them by the sackful, and will happen with certificates as more and more sites move to https.
Certificates should be like passports - guess no one in his mind would ever allow business to emit passports. But with certificates is OK, it's a business, just look to increase sales...
"Certificates should be like passports"
Exactly the consensus at the time. Governments oversee their registries/NICs which should register & authenticate KEYS in the same process as NAMES. Simples.
Worried the malignant quasi-fascist government regime you live under might be MITMing email and hoarding it all in a hollowed-out mountain somewhere? ..or spoofing your contacts to manufacture an excuse to treat you to a touch of extraordinary rendition? No problem, just use a service from a more civilised country like jmail.co.jp or kitznet.at or spray.no or bluemail.ch or Yandex.ru or...
Whole thing would have self-regulated. Every potential point of failure would have a single, static, accountable authority which the end user could simply and unambiguously select.
Of course NSA "NIST" would hear none of it. Kept muttering some brainless drivel about "market forces" and "capitalism" as it busied itself sabotaging our security.
Still, on the bright side, it was NSA "NIST"s insistence on valuing racketeering over security that gave Mark Shuttleworth the gazeeeeeeeeeeeeelions he's using to help pull the rug out from under the keeper of the NSA_KEY. Karma?
The action should be obvious - revoke all trust in the company that issued the certificates.
If they face financial melt-down due to this, and others see the consequences, maybe the future will be a little better. But saying so, it really points to a fundamentally broken system, and the certificate pinning that some browsers support is not enough of a "standard" to deal with it.
Not if you are using Chrome...
http://www.zdnet.com/article/chrome-does-certificate-revocation-better/
In spite of the apparent positive spin, the fact remains they don't properly check for revocation. The last point in the article basically says they whole system is crap/broken (as we know) but offers no proper solution to the stupidly lax design of certificate issuing where ANY one of nearly a thousand issuers can sign an imposter certificate for any domain.
"but offers no proper solution to the stupidly lax design of certificate issuing"
There is no "proper solution to the stupidly lax design of certificate issuing"
There can be no "proper solution to the stupidly lax design of certificate issuing"
Not because it's an intractable problem of course. This is simply how the "system" was contrived to be. Contrived back in the days when NSA was quaintly calling itself NIST as it set about scuttling public cryptography.
Think you can come up with a better system? You probably can. Probably in less than five minutes. Think you can get your solution adopted?
All your internets are belong to U.S.
Yes, I *can* come up with a better solution.
I have suggested it here on a number of occasions, and it's generally not badly received...
SSL certs should be pulled down as a DNS record, with the DNS record secured by DNSSEC.
DNSSEC already has lookaside validation, and if the root cert was compromised then the whole world would be shouting about it...
I suggest that each browser company runs their own lookaside validation server as a default lookaside option in their browser (since you explicitly trust them anyway) and allows you to use others if you want to.
This also provides a nice way to distribute SSH host certs etc...
I'm surprised - there doesn't seem to be a Firefox extension for whitelisting CA certs, like a NoScript for PKI chains. I wonder if there's a technical reason for that (haven't looked at the Firefox add-on interface in a long time), or if it's simply that no one has written one.
It'd be annoying for the first little while, but I'm willing to be that pretty soon I'd have whitelisted all the CA certs I legitimately expect to see until the next update. And when a non-whitelisted root or intermediary comes up, the extension could do quick CRL and OCSP checks.
Maybe a project for my next holiday.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
