Skip to main content

Google discovers new security holes in SSL — is the entire system fundamentally flawed?

Image
By
Data security

Share This Article

Google has discovered that an intermediate certificate authority had issued unauthorized certificates for multiple Google domains. The problem arose because the intermediate authority, MCS Holdings, had issued certificates for the Google domains, despite not holding those domains itself.
The reason it’s critical that companies not mint certificates for websites they don’t operate themselves is because doing so breaks the function of SSL itself. Here’s how the system is supposed to operate:
How SSL works
Your PC contacts a Google server, which returns a certificate. Your computer uses that certificate to encrypt a data session. The server confirms that the key is good and establishes the secure session with your PC. When certificates are signed by third parties, it allows the false server to execute a classic man-in-the-middle attack.
Main_the_middle
In a man-in-the-middle attack, an intervening certificate authority can pretend to be the genuine issuing authority, particularly if the intermediate certificate company is given the full authority of an issuing CA, which is what happened here. That’s not supposed to happen, as Google points out — the original Certificate Authority, CNNIC (the Chinese Internet Network Information Center) should never have given such authority to MCS Holding in the first place.

Fixing the TLS/SSL system

The problem with the SSL system — in addition to all the bugs, at least — is that it relies on the idea that Certificate Authorities will always issue good certificates. History has proven this simply isn’t true — multiple Certificate Authorities have been hacked, including companies like VeriSign and the now-defunct DigiNotar. Google wants to revamp the process of issuing certificates with its Certificate Transparency initiative. This project would:
  • Make it impossible (or at least very difficult) for a CA to issue a SSL certificate for a domain without the certificate being visible to the owner of that domain.
  • Provide an open auditing and monitoring system that lets any domain owner or CA determine whether certificates have been mistakenly or maliciously issued.
  • Protect users (as much as possible) from being duped by certificates that were mistakenly or maliciously issued.
Certificates would be logged, and the logs would be monitored by public servers that would periodically check to see if malicious or unauthorized certificates were being used across the net. For example, if Certificate Authority XYZ issued an unauthorized certificate for Gmail, a Certificate Transparency Monitor would detect the problem and alert Google itself. Finally, the logs and monitors would themselves be guarded by a cryptographic watchdog program, which would check to ensure that SSL certificates were properly logged and that the logs weren’t tampered with.
The other problem with the TLS/SSL system, beyond the fact that it relies on intrinsic trust, is that the system can be easily subverted. Unless certificates issued by a particular authority are revoked, those certificates can continue to be used to wreak havoc. This is why the recent Lenovo-Superfish debacle was so dangerous. Until Google, Microsoft, and Firefox updated their own software to reject the Komodo certificate, it remained available and functional — effectively end-running around any security that a website might try to provide.

Comments

Post a Comment

Popular posts from this blog

How ad-free subscriptions could solve Facebook

By
At the core of Facebook’s “well-being” problem is that its business is directly coupled with total time spent on its apps. The more hours you pass on the social network, the more ads you see and click, the more money it earns. That puts its plan to make using Facebook healthier at odds with its finances, restricting how far it’s willing to go to protect us from the harms of over use. The advertising-supported model comes with some big benefits, though. Facebook CEO Mark Zuckerberg has repeatedly said that “We will always keep Facebook a free service for everyone.” Ads lets Facebook remain free for those who don’t want to pay, and more importantly, for those around the world who couldn’t afford to. Ads pay for Facebook to keep the lights on, research and develop new technologies, and profit handsomely in a way that attracts top talent and further investment. More affluent users with more buying power in markets like the US, UK, and Canada command higher ad prices, effectively...
1 comment
Read more

Windows 7 and 8.1 Update to Windows 10 automatically

By
Windows 10 downloader While it might be a bit too early to start getting excited over the  Windows 10 update , which isn't expected to arrive until summer, Microsoft seems to already be warming up people's computers just the same. A recommended, and therefore purely optional, update for Windows 7 Service Pack 1 and Windows 8.1 has been discovered to be laying the groundwork for those machines' eventual upgrade to Windows 10. Although the  Windows 10 release date  was not announced officially, the details of this update also reveal how Microsoft might try to convince users to update to the latest Windows 10 version.  The  KB3035583  update "enables additional capabilities for Windows Update notifications when new updates are available to the user", which sounds pretty common. That is, until you dig into the update files and see a certain  GWXUXWorker.exe which, upon further inspection, would actually "Download Windows 10". So this rather ...
Post a Comment
Read more

Anyline Raises €1.5M To Let You Add Optical Character Recognition To Your App

By
Anyline , the Austrian startup that provides mobile OCR tech to enable developers to add text recognition to their own apps, has raised €1.5 million in funding. The list of investors is interesting, too. It includes angel investor Johann ‘Hansi’ Hansmann, busuu co-founder Bernhard Niesner, Lukas Püspök, and the U.S.-based VC-fund iSeed Ventures. However, most notable is that the round was led by Gernot Langes-Swarovski Group. As one investor put it to me, “the fact that the Swarovski family led the round shows that finally ‘old’ money is moving into Austrian startups”. Offering its own mobile Optical Character Recognition (OCR) technology — which uses a smartphone’s camera to accurately scan and recognise any kind of text, code or number — Anyline co-founder and CEO Lukas Kinigadner tells me the startup is built on the premise that “people screw up a lot”. “Mistakes happen easily when you’re writing down a 10-digit-number and then have to type it in again a few moments later...
Post a Comment
Read more

Three Reasons Why You Need Better Personal Cyber security

By
From the infamous Sony hack to the recent WannaCry virtual catastrophe that affected over 300,000 computers, the need for reliable personal cyber security has never been more apparent. Rubica's skilled team of experts want to remind every one of the importance of cyber security and the three reasons why it is becoming a more pressing issue every day. With top-notch personal cyber security, most attacks are preventable. 1. Larger Number Of Attacks Americans have heard of the most notable attacks on major corporations or government entities over the past several years. However, most people who are not in the information security field do not learn just how much the attack frequency is growing. The number of cyber attacks carried out worldwide in 2015 was quadruple a number of attacks recorded in 2013. Although the cost associated with the number of annual recorded attacks is in the $500 billion range right now, experts say that it will grow well into the trillions by ...
Post a Comment
Read more

Insure Your Family by Controlling Devices Through an App

By
AIR: YOUR SMART HOME Have you ever rushed to your house suspecting that you may have accidently kept the iron turned on?  How do you deter a burglar  from breaking into your house? You probably would rush to your house and manually turn off the switch in the first instance, and get a burglar alarm for the next. But what if there were a single solution for both? Humans are delegating a lot of menial and repetitive tasks to machines. And as far as errands in your house and offices are concerned, the good news is – you can control appliances through your smart phone. INTRODUCING AIR: YOUR SMART HOME Air app, which is available on both Android and Apple platforms, interacts with your devices and switches them off with a single tap. AIR MOBILE APP The app is complemented with a package that consists of a pentagonal-shaped unit and switchboard module. Once you install air unit; your smartphone can interact with it using the Air App. Thereafter, the unit instructs the...
Post a Comment
Read more