Skip to main content

Google discovers new security holes in SSL — is the entire system fundamentally flawed?

Image
By
Data security

Share This Article

Google has discovered that an intermediate certificate authority had issued unauthorized certificates for multiple Google domains. The problem arose because the intermediate authority, MCS Holdings, had issued certificates for the Google domains, despite not holding those domains itself.
The reason it’s critical that companies not mint certificates for websites they don’t operate themselves is because doing so breaks the function of SSL itself. Here’s how the system is supposed to operate:
How SSL works
Your PC contacts a Google server, which returns a certificate. Your computer uses that certificate to encrypt a data session. The server confirms that the key is good and establishes the secure session with your PC. When certificates are signed by third parties, it allows the false server to execute a classic man-in-the-middle attack.
Main_the_middle
In a man-in-the-middle attack, an intervening certificate authority can pretend to be the genuine issuing authority, particularly if the intermediate certificate company is given the full authority of an issuing CA, which is what happened here. That’s not supposed to happen, as Google points out — the original Certificate Authority, CNNIC (the Chinese Internet Network Information Center) should never have given such authority to MCS Holding in the first place.

Fixing the TLS/SSL system

The problem with the SSL system — in addition to all the bugs, at least — is that it relies on the idea that Certificate Authorities will always issue good certificates. History has proven this simply isn’t true — multiple Certificate Authorities have been hacked, including companies like VeriSign and the now-defunct DigiNotar. Google wants to revamp the process of issuing certificates with its Certificate Transparency initiative. This project would:
  • Make it impossible (or at least very difficult) for a CA to issue a SSL certificate for a domain without the certificate being visible to the owner of that domain.
  • Provide an open auditing and monitoring system that lets any domain owner or CA determine whether certificates have been mistakenly or maliciously issued.
  • Protect users (as much as possible) from being duped by certificates that were mistakenly or maliciously issued.
Certificates would be logged, and the logs would be monitored by public servers that would periodically check to see if malicious or unauthorized certificates were being used across the net. For example, if Certificate Authority XYZ issued an unauthorized certificate for Gmail, a Certificate Transparency Monitor would detect the problem and alert Google itself. Finally, the logs and monitors would themselves be guarded by a cryptographic watchdog program, which would check to ensure that SSL certificates were properly logged and that the logs weren’t tampered with.
The other problem with the TLS/SSL system, beyond the fact that it relies on intrinsic trust, is that the system can be easily subverted. Unless certificates issued by a particular authority are revoked, those certificates can continue to be used to wreak havoc. This is why the recent Lenovo-Superfish debacle was so dangerous. Until Google, Microsoft, and Firefox updated their own software to reject the Komodo certificate, it remained available and functional — effectively end-running around any security that a website might try to provide.

Comments

Post a Comment

Popular posts from this blog

So, when will your device actually get Android Oreo?

By
Google officially just took the wraps off of Android Oreo, but there are still some questions left to be answered — most notably, precisely when each device will be getting the latest version of the mobile operating system. Due to Android’s openness and a variety of different factors on the manufacturing side, it’s not an easy question to answer, but we’ll break it down best we can. First the good news: If your device was enrolled in the Android Beta Program, you’ll be getting your hands on the final version of the software “soon,” according to Google. Exactly what that means remains to be seen, but rest assured that you’ll be one of of the first people outside of Google to take advantage of picture-in-picture, notification dots and the like. No big surprise, Google handsets will be the first non-beta phones to get the update. The Pixel, Nexus 5X and 6P are at the top of the list, alongside Pixel C tablet and ASUS’s Nexus Player set-top box, which will be receiving the upgrade i...
Post a Comment
Read more

Get 56GB of free cloud storage in one folder!

By
Bring Your Box, Dropbox, Google Drive, & OneDrive All Together In One Folder With odrive! Dropbox gives you up to 16GB free.  Google Drive & Gmail give you 15GB. OneDrive gives you 15GB. Box gives you 10GB. odrive brings all your cloud storage apps together in one folder right on your desktop. Just link your Dropbox, Google Drive, Gmail, Box, and OneDrive accounts to odrive and instantly get all your files scattered everywhere in one place! You can even link multiple accounts from each app to get even more! 1. Install odrive. DOWNLOAD It's free! And available for Windows & Mac :) 3.Get all your stuff! 2. Link all your cloud storage accounts. Note:  This gives odrive permission to download your files for you. odrive doesn't store anything, we promise! OXYGEN CLOUD, INC., 1600 SEAPORT BLVD, REDWOOD CITY, CA, 94063, UNITED  ...
1 comment
Read more

Shatterproof screens to protect smartphones

By
Polymer scientists at the University of Akron in Ohio have developed a transparent electrode that could change the face of smartphones, literally, by making their displays shatterproof. In a recently published paper, researchers show how a transparent layer of nanowire-based electrodes on a polymer surface could be extraordinarily tough and flexible, withstanding repeated scotch tape peeling and bending tests. This could revolutionise and replace conventional touchscreens, according to Yu Zhu, UA assistant professor of polymer science. Currently used coatings made of indium tin oxide (ITO) are more brittle, most likely to shatter, and increasingly costly to manufacture. “These two pronounced factors drive the need to substitute ITO with a cost-effective and flexible conductive transparent film,” Zhu says, adding that the new film provides the same degree of transparency as ITO, yet offers greater conductivity. The novel film retains its shape and functionality after tests i...
Post a Comment
Read more

Windows 10 for phones will be released on this Friday

By
Microsoft's head of the Windows Insider program, Gabe Aul, has announced today on Windows Weekly that they will release a  new build of Windows 10 for phones  on Friday at 10 AM PT. Windows 10 release date A few weeks back, the company announced a new list of supported devices for the next release but for the version that will be released on Friday, the Lumia Icon and Lumia 930 will not be supported. Gabe said during the announcement that it came down to the new UI being too small on these devices and as such, will not be included in this release. List of supported devices Lumia 1020 Lumia 1320 Lumia 1520 Lumia 520 Lumia 525 Lumia 526 Lumia 530 Lumia 530 Dual Sim Lumia 535 Lumia 620 Lumia 625 Lumia 630 Lumia 630 Dual Sim Lumia 635 Lumia 636 Lumia 638 Lumia 720 Lumia 730 Lumia 730 Dual SIM Lumia 735 Lumia 810 Lumia 820 Lumia 822 Lumia 830 Lumia 920 Lumia 925 Lumia 928 Lumia ICON Microsoft Lumia 430 Microsoft Lumia 435 Microsoft Lumia 435 Dual SIM Microsoft Lumia 435 Dual ...
3 comments
Read more

Facebook Messenger For Apple Watch Officially Launches

By
During Apple’s keynote in September, they announced that Facebook Messenger would be coming to the Apple Watch, as long as you’ve updated to watchOS 2. Well, it’s here.   You can now share things like voice clips, likes and stickers from your Apple Watch. From my experience, little interactions like this are what works best on the Watch. I’ve found that as soon as I have to do anything more than pick a person and an action, things go haywire. Sure, there’s a lot more to do with watchOS, but I’d say that 2 is lightyears ahead of what the device shipped with. When Messenger for Apple Watch was first announced, our own Josh Constine said: The more platform ubiquity Facebook Messenger can achieve, the stronger its network effect will be entrenched. Each time a friend messages you from Facebook Messenger, it draws you closer to the Facebook ecosystem. Each time they text you from SMS or another app (other than WhatsApp), it pulls you further away. That’s why despit...
Post a Comment
Read more