Skip to main content

Google discovers new security holes in SSL — is the entire system fundamentally flawed?

Image
By
Data security

Share This Article

Google has discovered that an intermediate certificate authority had issued unauthorized certificates for multiple Google domains. The problem arose because the intermediate authority, MCS Holdings, had issued certificates for the Google domains, despite not holding those domains itself.
The reason it’s critical that companies not mint certificates for websites they don’t operate themselves is because doing so breaks the function of SSL itself. Here’s how the system is supposed to operate:
How SSL works
Your PC contacts a Google server, which returns a certificate. Your computer uses that certificate to encrypt a data session. The server confirms that the key is good and establishes the secure session with your PC. When certificates are signed by third parties, it allows the false server to execute a classic man-in-the-middle attack.
Main_the_middle
In a man-in-the-middle attack, an intervening certificate authority can pretend to be the genuine issuing authority, particularly if the intermediate certificate company is given the full authority of an issuing CA, which is what happened here. That’s not supposed to happen, as Google points out — the original Certificate Authority, CNNIC (the Chinese Internet Network Information Center) should never have given such authority to MCS Holding in the first place.

Fixing the TLS/SSL system

The problem with the SSL system — in addition to all the bugs, at least — is that it relies on the idea that Certificate Authorities will always issue good certificates. History has proven this simply isn’t true — multiple Certificate Authorities have been hacked, including companies like VeriSign and the now-defunct DigiNotar. Google wants to revamp the process of issuing certificates with its Certificate Transparency initiative. This project would:
  • Make it impossible (or at least very difficult) for a CA to issue a SSL certificate for a domain without the certificate being visible to the owner of that domain.
  • Provide an open auditing and monitoring system that lets any domain owner or CA determine whether certificates have been mistakenly or maliciously issued.
  • Protect users (as much as possible) from being duped by certificates that were mistakenly or maliciously issued.
Certificates would be logged, and the logs would be monitored by public servers that would periodically check to see if malicious or unauthorized certificates were being used across the net. For example, if Certificate Authority XYZ issued an unauthorized certificate for Gmail, a Certificate Transparency Monitor would detect the problem and alert Google itself. Finally, the logs and monitors would themselves be guarded by a cryptographic watchdog program, which would check to ensure that SSL certificates were properly logged and that the logs weren’t tampered with.
The other problem with the TLS/SSL system, beyond the fact that it relies on intrinsic trust, is that the system can be easily subverted. Unless certificates issued by a particular authority are revoked, those certificates can continue to be used to wreak havoc. This is why the recent Lenovo-Superfish debacle was so dangerous. Until Google, Microsoft, and Firefox updated their own software to reject the Komodo certificate, it remained available and functional — effectively end-running around any security that a website might try to provide.

Comments

Post a Comment

Popular posts from this blog

Square’s New Apple Pay And Chip Card Reader Available To Pre-Order

By
Shortly after going public,  Square  announced that its new card reader is now available to pre-order on  its website  for $49. The new reader will ship in early 2016. It’s been a slow roll-out for the company’s new reader as Square first teased it at Apple’s WWDC in June. Compared to the good old Square reader that you put in your headphone jack, this one packs a few new features. First, it supports Apple Pay, and potentially other contactless payment systems. It has an NFC chip and a tokenization system for secure contactless payments. Second, the new bigger design comes with a new slot for chip cards in case you can’t pay with your phone. Finally, it’s a wireless reader that connects to your phone or tablet using Bluetooth. It has a small built-in battery and you can recharge it with a standard microUSB port. According to  Square’s website , 100 retailers are already using the new reader. But the company has yet to ship the new rea...
Post a Comment
Read more

Report: Amazon Is Building An App To Let Normal People Deliver Packages For Pay

By
Amazon is apparently enlisting everyday humans in its network of endless online shopping delivery. The WSJ reports that the ecommerce giant is working on an app internally that would allow the average consumer to make a little cash by picking up Amazon packages at various retail locations and dropping them off at their final destination. WSJ’s sources did not have a timeline for the release of this product, internally called ‘On My Way,’ and were unsure whether it would launch at all. Amazon has spent years not only iterating the way it tailors your online shopping experience — the mega retailer has one of the best suggestion engines in the business — but also the way that it gets you your products with speed and convenience. Besides the standard shipping (or two-day for Prime members), Amazon has fiddled with the idea of letting Uber drivers and yellow cabs deliver products same-day, as well as using bike messengers and third-party delivery services for Prime N...
Post a Comment
Read more

eGym raises $45M Series C for cloud-connected gym equipment and fitness software

By
eGym , the Munich-based startup that offers cloud-connected gym equipment and supporting cloud software and app for the fitness training floor, has closed $45 million in Series C funding. The round was led by new investor HPE Growth Capital, while existing investors, including Highland Europe, also participated. The problem that eGym is looking to solve is that, whilst gyms have moved from a bodybuilder market to a mass market in the last 20 years, the technology in gyms lags behind. That’s despite the fact that better use of technology can help to reduce customer churn, the biggest pain-point of both gym operator and gym users. Comprising of an app for both gym user and trainer, combined with the company’s connected strength machines, the eGym Cloud makes it possible for gym members to receive better fitness instruction and an evolving and personalised fitness plan based on data collected as they workout. And by providing a better workout feedback loop, gym goers can get an i...
2 comments
Read more

Xiaomi’s 15.6” Notebook To Cost Less Due To Older CPU & GPU

By
Xiaomi is, first and foremost, a smartphone manufacturer. This company tends to dabble in pretty much anything tech-related, and they will release their first notebook soon.  Inventec  has already confirmed that they’re working on (one of) the company’s notebook, and that the device is expected to arrive in April next year. Well, Inventec is working on one of the company’s notebooks, but three different ones have been mentioned, the 12.5, 13.3 and 15.6-inch models. Inventec is working on the 12.5-inch model, while Compal is rumored to be working on the 13.3-inch variant. The  15.6-inch notebook  is the most interesting one here, read on. The specifications of the 15.6-inch Xiaomi notebook have surfaced a while back, and according to that report, the device will sport a 15.6-inch 1080p (1920 x 1080) display, 8GB of RAM and will be powered by Intel’s Core i7 4th-generation SoC. Nvidia’s GeForce GTX 760M GPU is said to be included in this package as well, and...
Post a Comment
Read more

The EHang 184 Is A Human-Sized Drone Taking Off At CES

By
We’ve seen some pretty cool stuff on day 1 of CES 2016, but probably nothing more eye-catching than the EHang 184, a human-sized drone built by the Chinese UAV company  EHang . Yes you heard right — a giant autonomous drone that fits a human. It’s basically what you would expect to see if someone shrunk you down to the size of a LEGO and stuck you next to a DJI Inspire. Except no one was shrunk, and the giant flying machine was sitting smack in the middle of the CES drone section. EHang, which was founded in 2014 and has raised about $50M in venture fundingto date, was pretty gung-ho about telling everyone at CES that the 184 was the future of personal transport. And for the most part, people were too in awe to question them. But the reality is that the company probably was using the 184 as more of a marketing tool for their standard-sized drones like the  Ghost . Not that we’re saying that the 184 will never be a real thing, just that it probably isn’t co...
Post a Comment
Read more