Skip to main content

Google discovers new security holes in SSL — is the entire system fundamentally flawed?

Image
By
Data security

Share This Article

Google has discovered that an intermediate certificate authority had issued unauthorized certificates for multiple Google domains. The problem arose because the intermediate authority, MCS Holdings, had issued certificates for the Google domains, despite not holding those domains itself.
The reason it’s critical that companies not mint certificates for websites they don’t operate themselves is because doing so breaks the function of SSL itself. Here’s how the system is supposed to operate:
How SSL works
Your PC contacts a Google server, which returns a certificate. Your computer uses that certificate to encrypt a data session. The server confirms that the key is good and establishes the secure session with your PC. When certificates are signed by third parties, it allows the false server to execute a classic man-in-the-middle attack.
Main_the_middle
In a man-in-the-middle attack, an intervening certificate authority can pretend to be the genuine issuing authority, particularly if the intermediate certificate company is given the full authority of an issuing CA, which is what happened here. That’s not supposed to happen, as Google points out — the original Certificate Authority, CNNIC (the Chinese Internet Network Information Center) should never have given such authority to MCS Holding in the first place.

Fixing the TLS/SSL system

The problem with the SSL system — in addition to all the bugs, at least — is that it relies on the idea that Certificate Authorities will always issue good certificates. History has proven this simply isn’t true — multiple Certificate Authorities have been hacked, including companies like VeriSign and the now-defunct DigiNotar. Google wants to revamp the process of issuing certificates with its Certificate Transparency initiative. This project would:
  • Make it impossible (or at least very difficult) for a CA to issue a SSL certificate for a domain without the certificate being visible to the owner of that domain.
  • Provide an open auditing and monitoring system that lets any domain owner or CA determine whether certificates have been mistakenly or maliciously issued.
  • Protect users (as much as possible) from being duped by certificates that were mistakenly or maliciously issued.
Certificates would be logged, and the logs would be monitored by public servers that would periodically check to see if malicious or unauthorized certificates were being used across the net. For example, if Certificate Authority XYZ issued an unauthorized certificate for Gmail, a Certificate Transparency Monitor would detect the problem and alert Google itself. Finally, the logs and monitors would themselves be guarded by a cryptographic watchdog program, which would check to ensure that SSL certificates were properly logged and that the logs weren’t tampered with.
The other problem with the TLS/SSL system, beyond the fact that it relies on intrinsic trust, is that the system can be easily subverted. Unless certificates issued by a particular authority are revoked, those certificates can continue to be used to wreak havoc. This is why the recent Lenovo-Superfish debacle was so dangerous. Until Google, Microsoft, and Firefox updated their own software to reject the Komodo certificate, it remained available and functional — effectively end-running around any security that a website might try to provide.

Comments

Post a Comment

Popular posts from this blog

How ad-free subscriptions could solve Facebook

By
At the core of Facebook’s “well-being” problem is that its business is directly coupled with total time spent on its apps. The more hours you pass on the social network, the more ads you see and click, the more money it earns. That puts its plan to make using Facebook healthier at odds with its finances, restricting how far it’s willing to go to protect us from the harms of over use. The advertising-supported model comes with some big benefits, though. Facebook CEO Mark Zuckerberg has repeatedly said that “We will always keep Facebook a free service for everyone.” Ads lets Facebook remain free for those who don’t want to pay, and more importantly, for those around the world who couldn’t afford to. Ads pay for Facebook to keep the lights on, research and develop new technologies, and profit handsomely in a way that attracts top talent and further investment. More affluent users with more buying power in markets like the US, UK, and Canada command higher ad prices, effectively...
1 comment
Read more

10 Reasons Why You Should Invest in Mobile App Development

By
   With mobile apps developed for mobile operating systems from Apple, Android, and others, you can create brand awareness and loyalty amongsta huge number of existing and potential customers. In fact, many customers now expect a business or brand to have its own dedicated mobile app. This means that it is not only becoming a necessity to gain a competitive edge over other businesses, it is becoming a necessity to avoid falling behind your competition. Having a dedicated mobile app adds to the credibility of the brand. Keeping in mind the importance that mobile applications hold in today’s society, it is only wise to create one for your business. Here are the top reasons why you should invest in mobile application development. 1. The World has Gone Mobile There is no denying that the world has gone mobile and there is no turning back. Consumers are using their smartphones to find local businesses. Your online branding efforts are being viewed via mobile channels....
1 comment
Read more

eGym raises $45M Series C for cloud-connected gym equipment and fitness software

By
eGym , the Munich-based startup that offers cloud-connected gym equipment and supporting cloud software and app for the fitness training floor, has closed $45 million in Series C funding. The round was led by new investor HPE Growth Capital, while existing investors, including Highland Europe, also participated. The problem that eGym is looking to solve is that, whilst gyms have moved from a bodybuilder market to a mass market in the last 20 years, the technology in gyms lags behind. That’s despite the fact that better use of technology can help to reduce customer churn, the biggest pain-point of both gym operator and gym users. Comprising of an app for both gym user and trainer, combined with the company’s connected strength machines, the eGym Cloud makes it possible for gym members to receive better fitness instruction and an evolving and personalised fitness plan based on data collected as they workout. And by providing a better workout feedback loop, gym goers can get an i...
2 comments
Read more

Where does Blue Apron go after Amazon wraps up its Whole Foods deal?

By
Last week, Amazon said that its massive $13.7 billion deal to acquire Whole Foods is wrapping up on Monday — giving it access to one of the strongest food brands in the United States, as well as hundreds of grocery stores in metropolitan areas. That means it’s going to be easier and easier for people to get access to great ingredients, and there’s been a continued trickle of suggestions that Amazon will be gunning for a massive business that helped Blue Apron go public — a trickle that has since tempered Wall Street’s appetite for that business. All this raises a ton of questions as to what the future of Blue Apron is as Amazon looks primed to bulldoze into its territory in a very Amazon move. But as the specter of Amazon getting into meal-kit delivery looms, let’s review really quickly what Blue Apron has going for it: It has a strong brand in meal-kit delivery. The company wouldn’t have been able to go public, much less sustain unicorn status even as its stock continues to plumme...
Post a Comment
Read more

How To Install Android Apps on Windows 10 Mobile

By
If your bored of using Windows phone then you can try this tutorial. In this article we will teach you  “How To Install Android Apps On Windows 10 Mobile” . Run Android Apps On Windows 10 Mobile Step 1:  Download   wconnect  and  Android SDK ADB tool . Step 2:  Now unzip SDK, connect tool and install IpOverUsbInstaller.msi and vcredist_x86.exe. Make sure ADB commands are working. Step 3:  Open Windows 10 phone  Settings > Update and security > Developers . Check developer mode  and   turn on  Device Discovery. Step 4:  Open command window on  wconnect  folder. Now you need to connect your phone and you can do it in two ways. 1.If you connect via USB, type  wconnect.exe usb  and hit enter   2.If you connect via Wi-Fi, type wconnect.exe 192.168.xxx.xxx (replace 192.168.xxx.xxx with your local network IP address) Once done enter the paring code Step 5:  Now move t...
Post a Comment
Read more