Google discovers new security holes in SSL — is the entire system fundamentally flawed?

Share This Article

Google has discovered that an intermediate certificate authority had issued unauthorized certificates for multiple Google domains. The problem arose because the intermediate authority, MCS Holdings, had issued certificates for the Google domains, despite not holding those domains itself.

The reason it’s critical that companies not mint certificates for websites they don’t operate themselves is because doing so breaks the function of SSL itself. Here’s how the system is supposed to operate:

Your PC contacts a Google server, which returns a certificate. Your computer uses that certificate to encrypt a data session. The server confirms that the key is good and establishes the secure session with your PC. When certificates are signed by third parties, it allows the false server to execute a classic man-in-the-middle attack.

In a man-in-the-middle attack, an intervening certificate authority can pretend to be the genuine issuing authority, particularly if the intermediate certificate company is given the full authority of an issuing CA, which is what happened here. That’s not supposed to happen, as Google points out — the original Certificate Authority, CNNIC (the Chinese Internet Network Information Center) should never have given such authority to MCS Holding in the first place.

Fixing the TLS/SSL system

The problem with the SSL system — in addition to all the bugs, at least — is that it relies on the idea that Certificate Authorities will always issue good certificates. History has proven this simply isn’t true — multiple Certificate Authorities have been hacked, including companies like VeriSign and the now-defunct DigiNotar. Google wants to revamp the process of issuing certificates with its Certificate Transparency initiative. This project would:

Make it impossible (or at least very difficult) for a CA to issue a SSL certificate for a domain without the certificate being visible to the owner of that domain.
Provide an open auditing and monitoring system that lets any domain owner or CA determine whether certificates have been mistakenly or maliciously issued.
Protect users (as much as possible) from being duped by certificates that were mistakenly or maliciously issued.

Certificates would be logged, and the logs would be monitored by public servers that would periodically check to see if malicious or unauthorized certificates were being used across the net. For example, if Certificate Authority XYZ issued an unauthorized certificate for Gmail, a Certificate Transparency Monitor would detect the problem and alert Google itself. Finally, the logs and monitors would themselves be guarded by a cryptographic watchdog program, which would check to ensure that SSL certificates were properly logged and that the logs weren’t tampered with.

The other problem with the TLS/SSL system, beyond the fact that it relies on intrinsic trust, is that the system can be easily subverted. Unless certificates issued by a particular authority are revoked, those certificates can continue to be used to wreak havoc. This is why the recent Lenovo-Superfish debacle was so dangerous. Until Google, Microsoft, and Firefox updated their own software to reject the Komodo certificate, it remained available and functional — effectively end-running around any security that a website might try to provide.

Comments

Workato Chat Bot Brings Enterprise Workflow Into Slack

As we head into 2016, enterprise chat applications like Slack are suddenly a hot commodity, and if you’re inside chat a good portion of the day the argument goes, you should be able to access other work without leaving the chat client. This is exactly what Workato’s newly announced chat bot, Workbot, is designed to do. Chat bots are small programs that integrate with a chat platform and provide some advanced type of functionality in a fairly easy fashion. The new Workbot-chat bot enables users to access and control over 100 enterprise applications such as a Salesforce CRM record, Quickbooks accounting information or Zendesk customer service interactions directly inside of Slack. One of the primary issues with early Enterprise 2.0 tools was that they were just another application busy employees needed to pay attention to. The idea here is to give users customer information directly in the context of the discussion they may be having...

Best Web Design Company in Pondicherry

#Technology has two faces. We all feel it, but sometimes can’t find words to describe it. #Ebooks are the best example to show the 0-1 nature of emotions the #technology evokes. #itwhere provide a #Best #solutions to #Growyourbusiness feel free to drop a #Mail info@itwheretech.co.in www.itwheretech.co.in

Montana-based mapping startup onXmaps raises a round of funding fit for Big Sky Country

A mapping startup based in Missoula, Mont., which allows users to download sophisticated offline topographic maps outlining public and private lands and a number of other features geared towards hunting, fishing and camping, has pulled in its first major outside funding. onXmaps has closed a $20.3 million Series A round led by Summit Partners. Bessemer Venture Partners, Millennium Technology Value Partners, Next Frontier Capital and NBCUniversal CEO Steve Burke also participated in the round. The company is calling the fundraise one of the biggest ever among startups based in Montana. onX Hunt app This is impressively the first bout of outside funding that the 70-person startup has ever taken since being founded in 2009. The company’s founder and CEO Eric Siegfried, an avid outdoorsman himself, had created a more basic program to integrate these maps with his own Garmin GPS. After finding his friends were interested in having a product like this too, he put down $27k of his...

Visa confirms Coinbase wasn’t at fault for overcharging users

Yesterday, we wrote that Coinbase customers were being charged multiple times for past transactions. While some speculated that the erroneous withdraws were down to a Coinbase engineering issue, Coinbase issued a statement saying it wasn’t liable for the duplicate charges. The blame, instead, rested with Visa for the way it handled a migration of merchant categories for cryptocurrencies, Coinbase said. While you can read my post yesterday for an in-depth description of what happened, the basic gist is that Visa refunded and recharged (under a different merchant category) a month of old transactions. Many users saw the recharge come through before the refund processed, making it look like they were double charged. Honestly, the issue was likely exacerbated by existing payment rails — it’s normal for refunds to take multiple days to show up on credit and debit statements. But here’s where it gets weird — this morning Visa issued a statement to some publications shifting the blam...

Phoenix OS is (another) Android-as-a-desktop

Google Android may have been developed as a smartphone operating system (and later ported to tablets, TVs, watches, and other platforms), but over the past few years we’ve seen a number of attempts to turn it into a desktop operating system. One of the most successful has been Remix OS , which gives Android a taskbar, start menu, and an excellent window management system. The Remix OS team has also generated a lot of buzz over the past year, and this week the operating system gained a lot of new alpha testers thanks to a downloadable version of Remix OS that you can run on many recent desktop or notebook computers. But Remix OS isn’t the only game in town. Phoenix OS is another Android-as-desktop operating system, and while it’s still pretty rough around the edges, there are a few features that could make it a better option for some testers. Some background I first discovered Phoenix OS from a post in the Remix OS Google Group , altho...

Exciting Technology

Search This Blog