Skip to main content

Google discovers new security holes in SSL — is the entire system fundamentally flawed?

Image
By
Data security

Share This Article

Google has discovered that an intermediate certificate authority had issued unauthorized certificates for multiple Google domains. The problem arose because the intermediate authority, MCS Holdings, had issued certificates for the Google domains, despite not holding those domains itself.
The reason it’s critical that companies not mint certificates for websites they don’t operate themselves is because doing so breaks the function of SSL itself. Here’s how the system is supposed to operate:
How SSL works
Your PC contacts a Google server, which returns a certificate. Your computer uses that certificate to encrypt a data session. The server confirms that the key is good and establishes the secure session with your PC. When certificates are signed by third parties, it allows the false server to execute a classic man-in-the-middle attack.
Main_the_middle
In a man-in-the-middle attack, an intervening certificate authority can pretend to be the genuine issuing authority, particularly if the intermediate certificate company is given the full authority of an issuing CA, which is what happened here. That’s not supposed to happen, as Google points out — the original Certificate Authority, CNNIC (the Chinese Internet Network Information Center) should never have given such authority to MCS Holding in the first place.

Fixing the TLS/SSL system

The problem with the SSL system — in addition to all the bugs, at least — is that it relies on the idea that Certificate Authorities will always issue good certificates. History has proven this simply isn’t true — multiple Certificate Authorities have been hacked, including companies like VeriSign and the now-defunct DigiNotar. Google wants to revamp the process of issuing certificates with its Certificate Transparency initiative. This project would:
  • Make it impossible (or at least very difficult) for a CA to issue a SSL certificate for a domain without the certificate being visible to the owner of that domain.
  • Provide an open auditing and monitoring system that lets any domain owner or CA determine whether certificates have been mistakenly or maliciously issued.
  • Protect users (as much as possible) from being duped by certificates that were mistakenly or maliciously issued.
Certificates would be logged, and the logs would be monitored by public servers that would periodically check to see if malicious or unauthorized certificates were being used across the net. For example, if Certificate Authority XYZ issued an unauthorized certificate for Gmail, a Certificate Transparency Monitor would detect the problem and alert Google itself. Finally, the logs and monitors would themselves be guarded by a cryptographic watchdog program, which would check to ensure that SSL certificates were properly logged and that the logs weren’t tampered with.
The other problem with the TLS/SSL system, beyond the fact that it relies on intrinsic trust, is that the system can be easily subverted. Unless certificates issued by a particular authority are revoked, those certificates can continue to be used to wreak havoc. This is why the recent Lenovo-Superfish debacle was so dangerous. Until Google, Microsoft, and Firefox updated their own software to reject the Komodo certificate, it remained available and functional — effectively end-running around any security that a website might try to provide.

Comments

Post a Comment

Popular posts from this blog

Top 20 WordPress Interview Questions and Answers

By
Top 40 WordPress Interview Questions and Answers  for freshers and experienced are below are below : 1. What is WordPress? WordPress is an online, open source website creation tool written in PHP. But in non-geek speak, it's probably the easiest and most powerful blogging and website content management system (or CMS) in existence today. 2. Different between WordPress.com vs WordPress.org? WordPress.com (fully hosted) Focus on your beautiful content, and let us handle the rest. WordPress.org (self-hosted) Get your hands dirty, and host your website yourself. refer official URL: https://en.support.wordpress.com/com-vs-org/ for more details. 3. Use of WordPress? WordPress is a free and open-source blogging tool and a content management system (CMS) based on PHP and MySQL. Features include a plugin architecture and a template system. WordPress was used by more than 23.3% of the top 10 million websites as of January 2015 4. feature of WordPress? Here are some of the featu...
Post a Comment
Read more

IT Where

By
#Responsive_Webdesign  start from #7500, #hosting_Service  Start from #3300 Per Year #get   #your   #special  offers at  Itwhere Pondy #Digital_Marketing  , #SEO , #Product_Branding  at Itwhere Pondy Email:info@itwheretech.co. in M:+91 9092734853 www.itwheretech.co.in
Post a Comment
Read more

How Education Will Be Smarter, Less Intrusive, And Able To Respond To How You Feel

By
Impatience characterizes the technology sector’s approach to education. Disruption is taking place in all other sectors of society — so, why not education? I know too well, whether at Pearson or in the classroom, the challenges and frustration of developing and using digital tools that improve outcomes for students. But I’m optimistic. We are on the verge of a tide of smarter innovation that, if allowed to spread, will turbocharge the learning experience for students. Here are four areas worth watching: 1. Using technology to learn from learners Every great digital product constantly evolves by learning from its users, adding capabilities, and improving its performance. If it’s true for your Facebook feed, then why not education? The potential is there, as the OECD’s recent report on  Students, Computers and Learning  (OECD) incidentally showed how clickstream and tracking navigation in digital readers can be used to see how students process online text and...
Post a Comment
Read more

Phoenix OS is (another) Android-as-a-desktop

By
Google Android may have been developed as a smartphone operating system (and later ported to tablets, TVs, watches, and other platforms), but over the past few years we’ve seen a number of attempts to turn it into a desktop operating system. One of the most successful has been  Remix OS , which gives Android a taskbar, start menu, and an excellent window management system. The Remix OS team has also generated a lot of buzz over the past year, and this week the operating system gained a lot of new alpha testers thanks to a  downloadable version of Remix OS  that you can run on many recent desktop or notebook computers. But Remix OS isn’t the only game in town.  Phoenix OS  is another Android-as-desktop operating system, and while it’s still pretty rough around the edges, there are a few features that could make it a better option for some testers. Some background I first discovered Phoenix OS from  a post in the Remix OS Google Group , altho...
3 comments
Read more

Google Announces Android Wear Update With WiFi Support, Always-On Apps, And More

By
It has been a while since Android Wear got any substantial updates, but today Google is announcing a big one. A new version of Wear will be rolling out over the coming weeks that includes a number of previously rumored features (like WiFi support) and some all new stuff (like always-on apps). Most Wear devices use the always-on ambient mode for the watch face by default, the Moto 360 being a notable exception. The new Android Wear version allows apps to operate in ambient mode too, so they remain active when the watch goes to sleep. That makes it easier to take a quick glance at the app instead of waking the device up and opening the app all over again. The watch will still only go into full-color mode when necessary. WiFi support is also coming in the update, which means your watch can be useful even if your phone isn't connected. Watches with WiFi support will be able to connect to WiFi and still get messages and notifications from your phone, provided it has an interne...
Post a Comment
Read more