Google discovers new security holes in SSL — is the entire system fundamentally flawed?

Share This Article

Google has discovered that an intermediate certificate authority had issued unauthorized certificates for multiple Google domains. The problem arose because the intermediate authority, MCS Holdings, had issued certificates for the Google domains, despite not holding those domains itself.

The reason it’s critical that companies not mint certificates for websites they don’t operate themselves is because doing so breaks the function of SSL itself. Here’s how the system is supposed to operate:

Your PC contacts a Google server, which returns a certificate. Your computer uses that certificate to encrypt a data session. The server confirms that the key is good and establishes the secure session with your PC. When certificates are signed by third parties, it allows the false server to execute a classic man-in-the-middle attack.

In a man-in-the-middle attack, an intervening certificate authority can pretend to be the genuine issuing authority, particularly if the intermediate certificate company is given the full authority of an issuing CA, which is what happened here. That’s not supposed to happen, as Google points out — the original Certificate Authority, CNNIC (the Chinese Internet Network Information Center) should never have given such authority to MCS Holding in the first place.

Fixing the TLS/SSL system

The problem with the SSL system — in addition to all the bugs, at least — is that it relies on the idea that Certificate Authorities will always issue good certificates. History has proven this simply isn’t true — multiple Certificate Authorities have been hacked, including companies like VeriSign and the now-defunct DigiNotar. Google wants to revamp the process of issuing certificates with its Certificate Transparency initiative. This project would:

Make it impossible (or at least very difficult) for a CA to issue a SSL certificate for a domain without the certificate being visible to the owner of that domain.
Provide an open auditing and monitoring system that lets any domain owner or CA determine whether certificates have been mistakenly or maliciously issued.
Protect users (as much as possible) from being duped by certificates that were mistakenly or maliciously issued.

Certificates would be logged, and the logs would be monitored by public servers that would periodically check to see if malicious or unauthorized certificates were being used across the net. For example, if Certificate Authority XYZ issued an unauthorized certificate for Gmail, a Certificate Transparency Monitor would detect the problem and alert Google itself. Finally, the logs and monitors would themselves be guarded by a cryptographic watchdog program, which would check to ensure that SSL certificates were properly logged and that the logs weren’t tampered with.

The other problem with the TLS/SSL system, beyond the fact that it relies on intrinsic trust, is that the system can be easily subverted. Unless certificates issued by a particular authority are revoked, those certificates can continue to be used to wreak havoc. This is why the recent Lenovo-Superfish debacle was so dangerous. Until Google, Microsoft, and Firefox updated their own software to reject the Komodo certificate, it remained available and functional — effectively end-running around any security that a website might try to provide.

Comments

Square’s New Apple Pay And Chip Card Reader Available To Pre-Order

Shortly after going public, Square announced that its new card reader is now available to pre-order on its website for $49. The new reader will ship in early 2016. It’s been a slow roll-out for the company’s new reader as Square first teased it at Apple’s WWDC in June. Compared to the good old Square reader that you put in your headphone jack, this one packs a few new features. First, it supports Apple Pay, and potentially other contactless payment systems. It has an NFC chip and a tokenization system for secure contactless payments. Second, the new bigger design comes with a new slot for chip cards in case you can’t pay with your phone. Finally, it’s a wireless reader that connects to your phone or tablet using Bluetooth. It has a small built-in battery and you can recharge it with a standard microUSB port. According to Square’s website , 100 retailers are already using the new reader. But the company has yet to ship the new rea...

Report: Amazon Is Building An App To Let Normal People Deliver Packages For Pay

Amazon is apparently enlisting everyday humans in its network of endless online shopping delivery. The WSJ reports that the ecommerce giant is working on an app internally that would allow the average consumer to make a little cash by picking up Amazon packages at various retail locations and dropping them off at their final destination. WSJ’s sources did not have a timeline for the release of this product, internally called ‘On My Way,’ and were unsure whether it would launch at all. Amazon has spent years not only iterating the way it tailors your online shopping experience — the mega retailer has one of the best suggestion engines in the business — but also the way that it gets you your products with speed and convenience. Besides the standard shipping (or two-day for Prime members), Amazon has fiddled with the idea of letting Uber drivers and yellow cabs deliver products same-day, as well as using bike messengers and third-party delivery services for Prime N...

The data center of the (near) future

Tight budgets and explosive data growth call for creative thinking on how and where to build data centers: http://dell.to/1tv4FsL #datacenter #modulardatacenter #floatingdatacenter http://techpageone.dell.com/technology/the-data-center-of-the-near-future/?dgc=SM&cid=75909&lid=5342172#.U_6lTvldXfJ

The EHang 184 Is A Human-Sized Drone Taking Off At CES

We’ve seen some pretty cool stuff on day 1 of CES 2016, but probably nothing more eye-catching than the EHang 184, a human-sized drone built by the Chinese UAV company EHang . Yes you heard right — a giant autonomous drone that fits a human. It’s basically what you would expect to see if someone shrunk you down to the size of a LEGO and stuck you next to a DJI Inspire. Except no one was shrunk, and the giant flying machine was sitting smack in the middle of the CES drone section. EHang, which was founded in 2014 and has raised about $50M in venture fundingto date, was pretty gung-ho about telling everyone at CES that the 184 was the future of personal transport. And for the most part, people were too in awe to question them. But the reality is that the company probably was using the 184 as more of a marketing tool for their standard-sized drones like the Ghost . Not that we’re saying that the 184 will never be a real thing, just that it probably isn’t co...

Windows 10 build 10136 screenshots posted by Windows Insider chief

We are used to seeing leaked screenshots of unreleased Windows 10 builds coming from third parties. However, it’s rare when a member of the Windows team does it himself. Today, Gabriel Aul, the head of the Windows Insider program, did just that on his Twitter account with two screenshots showing Windows 10 build 10136. Currently, Microsoft has build 10130 available for the over 4 million Windows Insider members to check out. There’s not a lot that’s new in these two new images, although the system tray arrow and File Explorer icons have both been updated. One of the images also shows that Word 95 can indeed run inside Windows 10. Microsoft has already announced that Windows 10 will officially launch, or more accurately come out of its preview stage, on July 29. Earlier today at Computex 2015, the company announced there will be about 300 products running the operating system by the time it debuts. Via: Windows Central , Gabriel Aul

Exciting Technology

Search This Blog