Skip to main content

Google discovers new security holes in SSL — is the entire system fundamentally flawed?

Image
By
Data security

Share This Article

Google has discovered that an intermediate certificate authority had issued unauthorized certificates for multiple Google domains. The problem arose because the intermediate authority, MCS Holdings, had issued certificates for the Google domains, despite not holding those domains itself.
The reason it’s critical that companies not mint certificates for websites they don’t operate themselves is because doing so breaks the function of SSL itself. Here’s how the system is supposed to operate:
How SSL works
Your PC contacts a Google server, which returns a certificate. Your computer uses that certificate to encrypt a data session. The server confirms that the key is good and establishes the secure session with your PC. When certificates are signed by third parties, it allows the false server to execute a classic man-in-the-middle attack.
Main_the_middle
In a man-in-the-middle attack, an intervening certificate authority can pretend to be the genuine issuing authority, particularly if the intermediate certificate company is given the full authority of an issuing CA, which is what happened here. That’s not supposed to happen, as Google points out — the original Certificate Authority, CNNIC (the Chinese Internet Network Information Center) should never have given such authority to MCS Holding in the first place.

Fixing the TLS/SSL system

The problem with the SSL system — in addition to all the bugs, at least — is that it relies on the idea that Certificate Authorities will always issue good certificates. History has proven this simply isn’t true — multiple Certificate Authorities have been hacked, including companies like VeriSign and the now-defunct DigiNotar. Google wants to revamp the process of issuing certificates with its Certificate Transparency initiative. This project would:
  • Make it impossible (or at least very difficult) for a CA to issue a SSL certificate for a domain without the certificate being visible to the owner of that domain.
  • Provide an open auditing and monitoring system that lets any domain owner or CA determine whether certificates have been mistakenly or maliciously issued.
  • Protect users (as much as possible) from being duped by certificates that were mistakenly or maliciously issued.
Certificates would be logged, and the logs would be monitored by public servers that would periodically check to see if malicious or unauthorized certificates were being used across the net. For example, if Certificate Authority XYZ issued an unauthorized certificate for Gmail, a Certificate Transparency Monitor would detect the problem and alert Google itself. Finally, the logs and monitors would themselves be guarded by a cryptographic watchdog program, which would check to ensure that SSL certificates were properly logged and that the logs weren’t tampered with.
The other problem with the TLS/SSL system, beyond the fact that it relies on intrinsic trust, is that the system can be easily subverted. Unless certificates issued by a particular authority are revoked, those certificates can continue to be used to wreak havoc. This is why the recent Lenovo-Superfish debacle was so dangerous. Until Google, Microsoft, and Firefox updated their own software to reject the Komodo certificate, it remained available and functional — effectively end-running around any security that a website might try to provide.

Comments

Post a Comment

Popular posts from this blog

Google is using machine learning to teach robots how to grasp random objects

By
Using your hand to grasp a pen that’s lying on your desk doesn’t exactly feel like a chore, but for robots, that’s still a really hard thing to do. So to teach robots how to better grasp random objects, Google’s research team  dedicated 14 robots to the task . The standard way to solve this problem would be for the robot to survey the environment, create a plan for how to grasp the object, then execute on it. In the real world, though, lots of things can change between formulating that plan and executing on it. Google is now using these robots to train a deep  convolutional neural network  (a technique that’s all the rage in machine learning right now) to help its robots predict the outcome of their grasps based on the camera input and motor commands. It’s basically hand-eye coordination for robots. The team says that it took about 3,000 hours of practice (and 800,000 grasp attempts) before it saw “the beginnings of intelligent reacti...
Post a Comment
Read more

Here Are The First Connected Home Devices For Apple’s HomeKit

By
Apple’s HomeKit is finally starting to roll out to actual consumers, via the first crop of HomeKit-enabled accessories from third-party manufacturers. This means you’ll soon be able to get your hands on a range of products for the connected home that work with Siri on your iOS device, and that you’ll be able to do so as soon as today, since some of the new HomeKit accessories start shipping now. The accessories in question range from sensors, to lights, to thermostats, to smart outlets, and come from a group of accessory-makers with a trusted reputation in the connected home industry. HomeKit may have taken a while to arrive, but it’s doing so in grand fashion, with a practical lineup to get your home connected to your iOS ecosystem in an essential way. Elgato Eve The  Elgato Eve  is a set of connected wireless sensors that monitor key factors like indoor air quality, temperature, humidity as well as conditions outside, like temperature, humidity and air pre...
Post a Comment
Read more

How ad-free subscriptions could solve Facebook

By
At the core of Facebook’s “well-being” problem is that its business is directly coupled with total time spent on its apps. The more hours you pass on the social network, the more ads you see and click, the more money it earns. That puts its plan to make using Facebook healthier at odds with its finances, restricting how far it’s willing to go to protect us from the harms of over use. The advertising-supported model comes with some big benefits, though. Facebook CEO Mark Zuckerberg has repeatedly said that “We will always keep Facebook a free service for everyone.” Ads lets Facebook remain free for those who don’t want to pay, and more importantly, for those around the world who couldn’t afford to. Ads pay for Facebook to keep the lights on, research and develop new technologies, and profit handsomely in a way that attracts top talent and further investment. More affluent users with more buying power in markets like the US, UK, and Canada command higher ad prices, effectively...
1 comment
Read more

Amazon Is Giving Away Unlimited Cloud Storage For $5.00

By
Amid a slew of deep discounts appearing on the web today as a part of the shopping holiday Black Friday, Amazon has introduced one deal that’s sort of a no brainer. The company is  giving away unlimited online storage  on its cloud servers for just five dollars. The normal price for this is $60 per year, so this – 92% off – represents a significant savings. The deal is aimed at promoting  Amazon’s Cloud Drive service  – an online storage site that competes with similar services like Dropbox, Google Drive, Microsoft’s OneDrive, and more. Cloud Drive allows you to store documents, music, photos, videos and other files in the cloud, which you can access from any web-connected device, including smartphones and tablets by way of Amazon’s Cloud Drive mobile applications. However, be aware that if you’re planning to use the now $5 service primarily for photo backups, you may already have that option enabled. Amazon Prime currently offers free, unlimited pho...
Post a Comment
Read more

How to Run Older Applications in Windows 10

By
You cannot expect all the vendors to upgrade their programs to make them compatible with Windows and neither would you want to purchase all the applications every time a new version of Windows is out. Nonetheless, the fact still remains the same that not all applications are compatible with the latest operating systems and there are times when many applications do not initialize when you upgrade your PC to a newer version of Windows. To make things easy for you, Windows 10 allows you to run the programs in compatibility mode. Running a program in compatibility mode makes the application think that it is installed on an older, compatible version of Windows, thus the software runs without any flaws. There are two ways you can run a program in compatibility mode: Program Compatibility Troubleshooter – This is a step-by-step wizard that allows you to pick a program that you prefer to use and configures it to run in compatibility mode. Compatibility Tab – This tab can...
Post a Comment
Read more