back to article Hawk like an Egyptian: Google is HOPPING MAD over fake SSL certs

Google says security biz MCS Holdings has created unauthorized SSL certificates for some Google-owned websites. Anyone with these dodgy certificates could, in theory, set up a web server that masquerades as a legit Google site, and redirect people to the fake site by hijacking their DNS. Chrome and the latest Firefox web …

  1. Anonymous Coward
    Anonymous Coward

    "[...] intercept and inspect employees' encrypted internet traffic to Google servers while at work, it's claimed. There is no suggestion at this stage that the certificates were used for malicious purposes."

    Intercepting someone's Google searches sounds malicious to me.

    1. Anonymous Coward
      Anonymous Coward

      Gah, came here to say the same thing.

    2. LDS Silver badge

      Depends on your local legislation, and your company policies of allowed uses of company equipment. Some searches could violate both. Also, using personal accounts and web mails for company material is one of the biggest security holes in many companies - and yet you can't easily disable wholly access to those account and sites.

      Just, in any company where you can deploy your own CAs, there's really no need to obtain a certificate from an external one to intercept SSL traffic. Most proxies can now do it easily.

      1. Michael Wojcik Silver badge

        Depends on your local legislation, and your company policies of allowed uses of company equipment. Some searches could violate both.

        That doesn't mean undermining the public PKI to intercept encrypted Google requests isn't malicious. Possible illegality or violation of organization policy by the users doesn't vacate the malice on the part of the snoopers. It may make the snooping legal; it doesn't make it good.

        Perhaps you're familiar with a little maxim about two wrongs?

  2. ZSn

    Odd?

    This is all a bit fishy, if the companies own the machines in question then they can self-sign and include their own self-signed certificate in their own machine's certificate stores. If it is BYOD, then ditto, if it is personal machines (for example phones using the wi-fi) then separate them out from the work machines. Getting dodgily signed certificates that will get Google all riled up at you, the Intermediate CA, and the root CA, sounds like a sledgehammer to crack a nut.

    1. Matt Piechota

      Re: Odd?

      "This is all a bit fishy, if the companies own the machines in question then they can self-sign and include their own self-signed certificate in their own machine's certificate stores."

      True, but I'm guessing this is aimed at small companies without the resources to do their own CA. To you and me it's not that hard to do, but I can think of several small business owners I know that wouldn't have the slightest idea.

      That being said, I'd be shocked, SHOCKED! if given the locations of the CAs we're talking about (China and Egypt, right?) there wasn't something else going on.

      1. BristolBachelor Gold badge

        Re: Odd?

        Came here to say the same about self certs - if you control the machines. The comment about China doesn't make sense - they could've just issued the certs themselves if they wanted them. More likely is that someone with a hold over the company in Egypt wanted to spy on machines that they don't own.

        More to the point is the number of organisations with their hooks in private companies, plus the number of data breaches, means that even if SSL wasn't broken it almost wouldn't matter.

      2. goldcd

        erm

        I would have thought self-signing would be a smidge easier, than getting somebody else to provide you faked google certificates - presuming these weren't being handed out alongside business DSL connections or similar.

      3. Vic

        Re: Odd?

        True, but I'm guessing this is aimed at small companies without the resources to do their own CA. To you and me it's not that hard to do, but I can think of several small business owners I know that wouldn't have the slightest idea.

        Many small businesses don't have the resources to wash their own windows, or change the oil in their vehicles. So they pay someone else to do it for them.

        IT in all its guises is no different - it's just that many businesses think that getting a favourite nephew in to do the job is a viable approach...

        Vic.

    2. Anonymous Coward
      Anonymous Coward

      Re: Odd?

      Consider employees that suspect their employer. Such employees can check the certificate chain, see the self-signed cert, and refrain from creating additional traffic for their employer to snoop. By spoofing the normal certificate chain, the employer creates a false sense of security.

    3. LDS Silver badge

      Re: Odd?

      The big issue is that the intermediate CA had no right to emit those certificates. The biggest hole in the whole PKI cert affair is that as long as selling certificates is just a business, someone will try to make more money selling certificates to anyone without proper diligence. It happened with domains, where spammers and crooks can buy them by the sackful, and will happen with certificates as more and more sites move to https.

      Certificates should be like passports - guess no one in his mind would ever allow business to emit passports. But with certificates is OK, it's a business, just look to increase sales...

      1. Anonymous Coward
        Anonymous Coward

        Re: Odd?

        "Certificates should be like passports"

        Exactly the consensus at the time. Governments oversee their registries/NICs which should register & authenticate KEYS in the same process as NAMES. Simples.

        Worried the malignant quasi-fascist government regime you live under might be MITMing email and hoarding it all in a hollowed-out mountain somewhere? ..or spoofing your contacts to manufacture an excuse to treat you to a touch of extraordinary rendition? No problem, just use a service from a more civilised country like jmail.co.jp or kitznet.at or spray.no or bluemail.ch or Yandex.ru or...

        Whole thing would have self-regulated. Every potential point of failure would have a single, static, accountable authority which the end user could simply and unambiguously select.

        Of course NSA "NIST" would hear none of it. Kept muttering some brainless drivel about "market forces" and "capitalism" as it busied itself sabotaging our security.

        Still, on the bright side, it was NSA "NIST"s insistence on valuing racketeering over security that gave Mark Shuttleworth the gazeeeeeeeeeeeeelions he's using to help pull the rug out from under the keeper of the NSA_KEY. Karma?

  3. Paul Crawford Silver badge

    The action should be obvious - revoke all trust in the company that issued the certificates.

    If they face financial melt-down due to this, and others see the consequences, maybe the future will be a little better. But saying so, it really points to a fundamentally broken system, and the certificate pinning that some browsers support is not enough of a "standard" to deal with it.

  4. Sean Kennedy

    Why not revoke MCS Holding's cert which allowed them to sign the fake certs?

    1. CJF

      RTFA: the Chinese cert body, which dealt with the issue on March 22 by revoking MCS' intermediate certificate

      1. Sean Kennedy

        My bad, I missed that.

        Looks like I picked the wrong week to stop sniffing glue.

      2. Oninoshiko

        revoked cert

        so alls well... at least if you are checking certificate revocation lists. You ARE checking certificate revocation lists, right?

        1. Paul Crawford Silver badge

          Re: revoked cert

          Not if you are using Chrome...

          http://www.zdnet.com/article/chrome-does-certificate-revocation-better/

          In spite of the apparent positive spin, the fact remains they don't properly check for revocation. The last point in the article basically says they whole system is crap/broken (as we know) but offers no proper solution to the stupidly lax design of certificate issuing where ANY one of nearly a thousand issuers can sign an imposter certificate for any domain.

          1. Anonymous Coward
            Anonymous Coward

            Re: revoked cert

            "but offers no proper solution to the stupidly lax design of certificate issuing"

            There is no "proper solution to the stupidly lax design of certificate issuing"

            There can be no "proper solution to the stupidly lax design of certificate issuing"

            Not because it's an intractable problem of course. This is simply how the "system" was contrived to be. Contrived back in the days when NSA was quaintly calling itself NIST as it set about scuttling public cryptography.

            Think you can come up with a better system? You probably can. Probably in less than five minutes. Think you can get your solution adopted?

            All your internets are belong to U.S.

            1. John Robson Silver badge

              Re: revoked cert

              Yes, I *can* come up with a better solution.

              I have suggested it here on a number of occasions, and it's generally not badly received...

              SSL certs should be pulled down as a DNS record, with the DNS record secured by DNSSEC.

              DNSSEC already has lookaside validation, and if the root cert was compromised then the whole world would be shouting about it...

              I suggest that each browser company runs their own lookaside validation server as a default lookaside option in their browser (since you explicitly trust them anyway) and allows you to use others if you want to.

              This also provides a nice way to distribute SSH host certs etc...

    2. boba1l0s2k9

      Re:

      They did.

  5. Marketing Hack Silver badge
    Black Helicopters

    MCS Holdings = NSA front company!!

    Oh come on, you guys knew I would say that.

    Well, may or may not be the NSA, but my guess is that MCS is effectively fronting for some nefarious organization.

  6. Anonymous Coward
    Anonymous Coward

    i think that the important question is...

    Who did they sell those certs to?

    A P.O. box in Reston, VA?

  7. awood-something_or_another

    Simple enough......all chinese root certs gone. That took a whole 2 minutes.

    1. Antonymous Coward
      Paris Hilton

      Well that solutionoid would certainly solve this little "problem".

  8. boatsman
    FAIL

    excuse me ??? not malicious.????

    "There is no suggestion at this stage that the certificates were used for malicious purposes."

    Egypt locks up journalists for no reason, and so does china.

    Think before you write???

  9. Richard Boyce
    FAIL

    Bye bye CNNIC

    The best response is to ask if you need to trust CNNIC. I've distrusted them in my browser and I'll see if that has consequences for me. Unlikely.

    1. Michael Wojcik Silver badge

      Re: Bye bye CNNIC

      I'm surprised - there doesn't seem to be a Firefox extension for whitelisting CA certs, like a NoScript for PKI chains. I wonder if there's a technical reason for that (haven't looked at the Firefox add-on interface in a long time), or if it's simply that no one has written one.

      It'd be annoying for the first little while, but I'm willing to be that pretty soon I'd have whitelisted all the CA certs I legitimately expect to see until the next update. And when a non-whitelisted root or intermediary comes up, the extension could do quick CRL and OCSP checks.

      Maybe a project for my next holiday.

  10. -v(o.o)v-

    HTTP public key pinning (HPKP) could help, unless the "DPI box" would strip the header.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019