Skip to main content

Google discovers new security holes in SSL — is the entire system fundamentally flawed?

Image
By
Data security

Share This Article

Google has discovered that an intermediate certificate authority had issued unauthorized certificates for multiple Google domains. The problem arose because the intermediate authority, MCS Holdings, had issued certificates for the Google domains, despite not holding those domains itself.
The reason it’s critical that companies not mint certificates for websites they don’t operate themselves is because doing so breaks the function of SSL itself. Here’s how the system is supposed to operate:
How SSL works
Your PC contacts a Google server, which returns a certificate. Your computer uses that certificate to encrypt a data session. The server confirms that the key is good and establishes the secure session with your PC. When certificates are signed by third parties, it allows the false server to execute a classic man-in-the-middle attack.
Main_the_middle
In a man-in-the-middle attack, an intervening certificate authority can pretend to be the genuine issuing authority, particularly if the intermediate certificate company is given the full authority of an issuing CA, which is what happened here. That’s not supposed to happen, as Google points out — the original Certificate Authority, CNNIC (the Chinese Internet Network Information Center) should never have given such authority to MCS Holding in the first place.

Fixing the TLS/SSL system

The problem with the SSL system — in addition to all the bugs, at least — is that it relies on the idea that Certificate Authorities will always issue good certificates. History has proven this simply isn’t true — multiple Certificate Authorities have been hacked, including companies like VeriSign and the now-defunct DigiNotar. Google wants to revamp the process of issuing certificates with its Certificate Transparency initiative. This project would:
  • Make it impossible (or at least very difficult) for a CA to issue a SSL certificate for a domain without the certificate being visible to the owner of that domain.
  • Provide an open auditing and monitoring system that lets any domain owner or CA determine whether certificates have been mistakenly or maliciously issued.
  • Protect users (as much as possible) from being duped by certificates that were mistakenly or maliciously issued.
Certificates would be logged, and the logs would be monitored by public servers that would periodically check to see if malicious or unauthorized certificates were being used across the net. For example, if Certificate Authority XYZ issued an unauthorized certificate for Gmail, a Certificate Transparency Monitor would detect the problem and alert Google itself. Finally, the logs and monitors would themselves be guarded by a cryptographic watchdog program, which would check to ensure that SSL certificates were properly logged and that the logs weren’t tampered with.
The other problem with the TLS/SSL system, beyond the fact that it relies on intrinsic trust, is that the system can be easily subverted. Unless certificates issued by a particular authority are revoked, those certificates can continue to be used to wreak havoc. This is why the recent Lenovo-Superfish debacle was so dangerous. Until Google, Microsoft, and Firefox updated their own software to reject the Komodo certificate, it remained available and functional — effectively end-running around any security that a website might try to provide.

Comments

Post a Comment

Popular posts from this blog

The Eight Most Impactful Excel Shortcuts That You Should Master

By
If you’ve ever gone online to research improving your Excel skills, you’ve undoubtedly come across a post or two listing all of Excel’s keyboard shortcuts.  In the latest version of Excel, Microsoft has made it easier than ever to learn shortcuts, by assigning shortcuts to nearly every function and making the discovery of the input sequence very transparent. While memorizing Excel shortcuts will generally improve your productivity, not all shortcuts are created equal.  Shortcuts that you never use are not inherently not very useful and not worth memorizing.  Your focus should be on the shortcuts that have the most impact – either by the amount of time it saves you, the frequency that you’ll use them, or the behavior it encourages. If you’ve already started using Excel or just haven’t utilized shortcuts heavily before, review the top eight shortcuts below.  For any that you don’t know already, I would suggest memorizing them and incorp...
Post a Comment
Read more

Google Announces Android Wear Update With WiFi Support, Always-On Apps, And More

By
It has been a while since Android Wear got any substantial updates, but today Google is announcing a big one. A new version of Wear will be rolling out over the coming weeks that includes a number of previously rumored features (like WiFi support) and some all new stuff (like always-on apps). Most Wear devices use the always-on ambient mode for the watch face by default, the Moto 360 being a notable exception. The new Android Wear version allows apps to operate in ambient mode too, so they remain active when the watch goes to sleep. That makes it easier to take a quick glance at the app instead of waking the device up and opening the app all over again. The watch will still only go into full-color mode when necessary. WiFi support is also coming in the update, which means your watch can be useful even if your phone isn't connected. Watches with WiFi support will be able to connect to WiFi and still get messages and notifications from your phone, provided it has an interne...
Post a Comment
Read more

Facebook will verify the location of U.S. election ad buyers by mailing them postcards

By
Facebook’s global director of policy programs says it will start sending postcards by snail mail to verify buyers of ads related to United States elections. Katie Harbath, who described the plan at a conference held by the National Association of Secretaries of State this weekend, didn’t reveal when the program will start, but told Reuters that it would be before the Congressional midterm elections in November. The cards will be sent to people who want to purchase ads that mention candidates running for federal offices, but not issue-based political ads, Harbath said, and contain a code that buyers need to enter to verify that they are in the U.S. The program is similar to ones used by Google My Business and Nextdoor when they need to verify business owners or users who want to join closed neighborhood groups, respectively. Harbath told Reuters that the postcards “won’t solve everything,” but were the most effective method the company came up with to prevent people from using fa...
1 comment
Read more

Budding #entrepreneur from Chandigarh University!!

By
Budding #entrepreneur from Chandigarh University!! #CU #students unfolded their creative ideas and presented them with a productive shape! Meet Our #Automobile #Engineering student - Trilok Singh, who has started his own start-up with the name GEARR TECHNOLOGIES under the guidance of CU-TBI. This start up focuses on affordable high end #Bicycles and its high #technology equipment’s. This start- up will bring to the Indian audience the scope of Products, #innovation, creativity and customization available in the market. Watch the video!!
Post a Comment
Read more

South Korea aims for startup gold

By
Back in 2011, when South Korea won its longshot bid to host the 2018 Winter Olympics, the country wasn’t widely recognized as a destination for ski and snow lovers. It wasn’t considered much of a tech startup hub either. Fast forward seven years and a lot has changed. For the next 10 days, the eyes of the world will be on the snowy slopes of PyeongChang. Meanwhile, a couple of hours away in Seoul, a burgeoning startup scene is seeing investments multiply, generating exits and even creating a unicorn or two. While South Korea doesn’t get a perfect score as a startup innovation hub, it has established itself as a serious contender. More than half a billion dollars annually has gone to seed through late-stage funding rounds for the past few years. During that time, at least two companies, e-commerce company Coupang and mobile-focused content and commerce company Yello Mobile, have established multi-billion-dollar valuations. To provide a broader picture of how South Korea stacks ...
Post a Comment
Read more