Skip to main content

Google discovers new security holes in SSL — is the entire system fundamentally flawed?

Data security

Share This Article

Google has discovered that an intermediate certificate authority had issued unauthorized certificates for multiple Google domains. The problem arose because the intermediate authority, MCS Holdings, had issued certificates for the Google domains, despite not holding those domains itself.
The reason it’s critical that companies not mint certificates for websites they don’t operate themselves is because doing so breaks the function of SSL itself. Here’s how the system is supposed to operate:
How SSL works
Your PC contacts a Google server, which returns a certificate. Your computer uses that certificate to encrypt a data session. The server confirms that the key is good and establishes the secure session with your PC. When certificates are signed by third parties, it allows the false server to execute a classic man-in-the-middle attack.
Main_the_middle
In a man-in-the-middle attack, an intervening certificate authority can pretend to be the genuine issuing authority, particularly if the intermediate certificate company is given the full authority of an issuing CA, which is what happened here. That’s not supposed to happen, as Google points out — the original Certificate Authority, CNNIC (the Chinese Internet Network Information Center) should never have given such authority to MCS Holding in the first place.

Fixing the TLS/SSL system

The problem with the SSL system — in addition to all the bugs, at least — is that it relies on the idea that Certificate Authorities will always issue good certificates. History has proven this simply isn’t true — multiple Certificate Authorities have been hacked, including companies like VeriSign and the now-defunct DigiNotar. Google wants to revamp the process of issuing certificates with its Certificate Transparency initiative. This project would:
  • Make it impossible (or at least very difficult) for a CA to issue a SSL certificate for a domain without the certificate being visible to the owner of that domain.
  • Provide an open auditing and monitoring system that lets any domain owner or CA determine whether certificates have been mistakenly or maliciously issued.
  • Protect users (as much as possible) from being duped by certificates that were mistakenly or maliciously issued.
Certificates would be logged, and the logs would be monitored by public servers that would periodically check to see if malicious or unauthorized certificates were being used across the net. For example, if Certificate Authority XYZ issued an unauthorized certificate for Gmail, a Certificate Transparency Monitor would detect the problem and alert Google itself. Finally, the logs and monitors would themselves be guarded by a cryptographic watchdog program, which would check to ensure that SSL certificates were properly logged and that the logs weren’t tampered with.
The other problem with the TLS/SSL system, beyond the fact that it relies on intrinsic trust, is that the system can be easily subverted. Unless certificates issued by a particular authority are revoked, those certificates can continue to be used to wreak havoc. This is why the recent Lenovo-Superfish debacle was so dangerous. Until Google, Microsoft, and Firefox updated their own software to reject the Komodo certificate, it remained available and functional — effectively end-running around any security that a website might try to provide.

Comments

Popular posts from this blog

Three Reasons Why You Need Better Personal Cyber security

From the infamous Sony hack to the recent WannaCry virtual catastrophe that affected over 300,000 computers, the need for reliable personal cyber security has never been more apparent. Rubica's skilled team of experts want to remind every one of the importance of cyber security and the three reasons why it is becoming a more pressing issue every day. With top-notch personal cyber security, most attacks are preventable. 1. Larger Number Of Attacks Americans have heard of the most notable attacks on major corporations or government entities over the past several years. However, most people who are not in the information security field do not learn just how much the attack frequency is growing. The number of cyber attacks carried out worldwide in 2015 was quadruple a number of attacks recorded in 2013. Although the cost associated with the number of annual recorded attacks is in the $500 billion range right now, experts say that it will grow well into the trillions by ...

Google Announces Android Wear Update With WiFi Support, Always-On Apps, And More

It has been a while since Android Wear got any substantial updates, but today Google is announcing a big one. A new version of Wear will be rolling out over the coming weeks that includes a number of previously rumored features (like WiFi support) and some all new stuff (like always-on apps). Most Wear devices use the always-on ambient mode for the watch face by default, the Moto 360 being a notable exception. The new Android Wear version allows apps to operate in ambient mode too, so they remain active when the watch goes to sleep. That makes it easier to take a quick glance at the app instead of waking the device up and opening the app all over again. The watch will still only go into full-color mode when necessary. WiFi support is also coming in the update, which means your watch can be useful even if your phone isn't connected. Watches with WiFi support will be able to connect to WiFi and still get messages and notifications from your phone, provided it has an interne...

Google Capital invests in Girnar Software, owner of Indian auto portal CarDekho.com

Girnar Software , which runs several auto portals in India including  CarDekho.com , has raised an undisclosed amount of new funding from Google Capital, with participation from returning investor Hillhouse Capital. This is the fourth Indian startup Google Capital has invested in (its portfolio also includes  Freshdesk ,  Commonfloor , and  Practo ). Before this round, Girnar Software had already raised at least $80 million. In addition to CarDekho.com, Girnar Software runs car classifieds sites  Gaadi.com  and  Zigwheels.com , former competitors which it  acquired in 2014  and  2015 , respectively, and motorbike marketplace  BikeDekho.com . Girnar Software expanded its auto portal business internationally last March with the launch of  CarBay.com , which operates in 25 countries in Asia, Africa, the Middle East, Europe, North America, and South America. The company plans to continue growing overseas with its la...

The Windows 10 Phone Companion and Android: Do you need it?

This is the Windows 10 Phone Companion app. It's what you'll see when you plug your phone into a Windows 10 box. And it's half-useful, half-plea to get you to install some of Microsoft's apps on your phone. (And these days, there's a decent chance that those apps will be on there in the first place.) But it's not entirely without use. You'll notice how it recognizes the make and model of the phone — in this case the Samsung Galaxy S6 edge. It also notes the total charge, and whether it's currently charging. (Which it probably should be seeing as how it's plugged in, but we digress.) You also get a nice glance at where you stand on storage. On this 128GB model, I've got 98.1GB available to me as a user, and 15.7GB of that has been used. (SD card storage is blank because there's no external storage on the GS6, of course.) The apps Microsoft suggests you download here include OneDrive, OneNote, Skype, Office (OK, Word, Excel and PowerP...

WhatsApp 2.12.45 Adds The Option To Back Up And Restore From Google Drive

I know it seems that we have a new WhatsApp post every couple of days on Android Police lately, but it ain't our fault. The app's developers, specifically the Android team, appear to be drinking the good kind of kool-aid and kicking one new version after the other with not only bug fixes, but also lots of new goodies. So first there was the  Web "client" , then the saga of the  voice calling feature rollout, followed by the  Material design update , and now Google Drive is being implemented as a backup option inside the app. It was only a few weeks ago that  we received translation strings  that hinted at WhatsApp's potential plan to enable backing up and restoring your conversation history and media to Google Drive. But the function just went live in the app's most recent version 2.12.45 which can be found  on APK Mirror  — the official  WhatsApp Android download page  still lists 2.12.44 at the time th...