Skip to main content

Google discovers new security holes in SSL — is the entire system fundamentally flawed?

Image
By
Data security

Share This Article

Google has discovered that an intermediate certificate authority had issued unauthorized certificates for multiple Google domains. The problem arose because the intermediate authority, MCS Holdings, had issued certificates for the Google domains, despite not holding those domains itself.
The reason it’s critical that companies not mint certificates for websites they don’t operate themselves is because doing so breaks the function of SSL itself. Here’s how the system is supposed to operate:
How SSL works
Your PC contacts a Google server, which returns a certificate. Your computer uses that certificate to encrypt a data session. The server confirms that the key is good and establishes the secure session with your PC. When certificates are signed by third parties, it allows the false server to execute a classic man-in-the-middle attack.
Main_the_middle
In a man-in-the-middle attack, an intervening certificate authority can pretend to be the genuine issuing authority, particularly if the intermediate certificate company is given the full authority of an issuing CA, which is what happened here. That’s not supposed to happen, as Google points out — the original Certificate Authority, CNNIC (the Chinese Internet Network Information Center) should never have given such authority to MCS Holding in the first place.

Fixing the TLS/SSL system

The problem with the SSL system — in addition to all the bugs, at least — is that it relies on the idea that Certificate Authorities will always issue good certificates. History has proven this simply isn’t true — multiple Certificate Authorities have been hacked, including companies like VeriSign and the now-defunct DigiNotar. Google wants to revamp the process of issuing certificates with its Certificate Transparency initiative. This project would:
  • Make it impossible (or at least very difficult) for a CA to issue a SSL certificate for a domain without the certificate being visible to the owner of that domain.
  • Provide an open auditing and monitoring system that lets any domain owner or CA determine whether certificates have been mistakenly or maliciously issued.
  • Protect users (as much as possible) from being duped by certificates that were mistakenly or maliciously issued.
Certificates would be logged, and the logs would be monitored by public servers that would periodically check to see if malicious or unauthorized certificates were being used across the net. For example, if Certificate Authority XYZ issued an unauthorized certificate for Gmail, a Certificate Transparency Monitor would detect the problem and alert Google itself. Finally, the logs and monitors would themselves be guarded by a cryptographic watchdog program, which would check to ensure that SSL certificates were properly logged and that the logs weren’t tampered with.
The other problem with the TLS/SSL system, beyond the fact that it relies on intrinsic trust, is that the system can be easily subverted. Unless certificates issued by a particular authority are revoked, those certificates can continue to be used to wreak havoc. This is why the recent Lenovo-Superfish debacle was so dangerous. Until Google, Microsoft, and Firefox updated their own software to reject the Komodo certificate, it remained available and functional — effectively end-running around any security that a website might try to provide.

Comments

Post a Comment

Popular posts from this blog

Visa confirms Coinbase wasn’t at fault for overcharging users

By
Yesterday, we wrote that Coinbase customers were being charged multiple times for past transactions. While some speculated that the erroneous withdraws were down to a Coinbase engineering issue, Coinbase issued a statement saying it wasn’t liable for the duplicate charges. The blame, instead, rested with Visa for the way it handled a migration of merchant categories for cryptocurrencies, Coinbase said. While you can read my post yesterday for an in-depth description of what happened, the basic gist is that Visa refunded and recharged (under a different merchant category) a month of old transactions. Many users saw the recharge come through before the refund processed, making it look like they were double charged. Honestly, the issue was likely exacerbated by existing payment rails — it’s normal for refunds to take multiple days to show up on credit and debit statements. But here’s where it gets weird — this morning Visa issued a statement to some publications shifting the blam...
Post a Comment
Read more

LeafLink Raises $750K To Become Salesforce For The Cannabis Industry

By
LeafLink , an NY-based wholesale management platform for the cannabis industry, has closed a $750k seed round led by group of NY angel investors. The software platform is designed to support participants in a B2B supply chain, providing basic tools designed to save money for retailers and allow producers to get better pricing for their product. These tools will include a centralized location to view correspondence between buyers and suppliers, inventory and order tracking tools, and a portal to discover new products and services so users can source leads and close deals from within the platform. Founders Ryan Smith and Zach Silverman explained that they “believe cannabis regulation and distribution is moving toward mimicking the alcohol industry with regional distributors and nonsensical supply chain participants”. By focusing on creating a supply chain similar to the alcohol industry, the company hopes to eventually be the universally accepted way for buyer...
Post a Comment
Read more

Here’s how to keep track of Elon Musk’s Roadster and Starman in space

By
Elon Musk’s Starman, the mannequin driver of the Tesla Roadster SpaceX launched aboard its Falcon Heavy rocket, is taking a trip around our solar system, in a large elliptical orbit that will bring him relatively close to Mars, the Sun and other heavenly bodies. But how to track the trip, now that the Roadster’s onboard batteries are out of juice and no longer transmitting live footage? Thanks to the work of Ben Pearson, a SpaceX fan and electrical engineer working in the aerospace industry, who created ‘Where is Roadster,’ a website that makes use of JPL Horizons data to track the progress of the Roadster and Starman through space, and to predict its path and let you know when it’ll come close to meeting up with various planets and the Sun. The website tells you the Roadster’s current position, too, as well as its speed and whether it’s moving towards or away from Earth and Mars at any given moment. It’s not officially affiliated with SpaceX or Tesla, but it is something Elon...
Post a Comment
Read more

How ad-free subscriptions could solve Facebook

By
At the core of Facebook’s “well-being” problem is that its business is directly coupled with total time spent on its apps. The more hours you pass on the social network, the more ads you see and click, the more money it earns. That puts its plan to make using Facebook healthier at odds with its finances, restricting how far it’s willing to go to protect us from the harms of over use. The advertising-supported model comes with some big benefits, though. Facebook CEO Mark Zuckerberg has repeatedly said that “We will always keep Facebook a free service for everyone.” Ads lets Facebook remain free for those who don’t want to pay, and more importantly, for those around the world who couldn’t afford to. Ads pay for Facebook to keep the lights on, research and develop new technologies, and profit handsomely in a way that attracts top talent and further investment. More affluent users with more buying power in markets like the US, UK, and Canada command higher ad prices, effectively...
1 comment
Read more

Engineering against all odds, or how NYC’s subway will get wireless in the tunnels

By
Never ask a wireless engineer working on the NYC subway system “What can go wrong?” Flooding, ice, brake dust, and power outages relentlessly attack the network components. Rats — many, many rats — can eat power and fiber optic cables and bring down the whole system. Humans are no different, as their curiosity or malice strikes a blow against wireless hardware (literally and metaphorically). Serverless software deployment to the cloud, this is not. New York City officially got wireless service in every underground subway station a little more than a year ago, and I was curious what work went into the buildout of this system as well as how it will expand in the future. That curiosity is part of a series of articles I’ve written on an observed pattern known as cost disease, the massively inflating costs of basic human services like health care, housing, infrastructure, and education. The United States spends trillions of dollars on each of these fields, massively outspending sim...
Post a Comment
Read more