Skip to main content

Google discovers new security holes in SSL — is the entire system fundamentally flawed?

Image
By
Data security

Share This Article

Google has discovered that an intermediate certificate authority had issued unauthorized certificates for multiple Google domains. The problem arose because the intermediate authority, MCS Holdings, had issued certificates for the Google domains, despite not holding those domains itself.
The reason it’s critical that companies not mint certificates for websites they don’t operate themselves is because doing so breaks the function of SSL itself. Here’s how the system is supposed to operate:
How SSL works
Your PC contacts a Google server, which returns a certificate. Your computer uses that certificate to encrypt a data session. The server confirms that the key is good and establishes the secure session with your PC. When certificates are signed by third parties, it allows the false server to execute a classic man-in-the-middle attack.
Main_the_middle
In a man-in-the-middle attack, an intervening certificate authority can pretend to be the genuine issuing authority, particularly if the intermediate certificate company is given the full authority of an issuing CA, which is what happened here. That’s not supposed to happen, as Google points out — the original Certificate Authority, CNNIC (the Chinese Internet Network Information Center) should never have given such authority to MCS Holding in the first place.

Fixing the TLS/SSL system

The problem with the SSL system — in addition to all the bugs, at least — is that it relies on the idea that Certificate Authorities will always issue good certificates. History has proven this simply isn’t true — multiple Certificate Authorities have been hacked, including companies like VeriSign and the now-defunct DigiNotar. Google wants to revamp the process of issuing certificates with its Certificate Transparency initiative. This project would:
  • Make it impossible (or at least very difficult) for a CA to issue a SSL certificate for a domain without the certificate being visible to the owner of that domain.
  • Provide an open auditing and monitoring system that lets any domain owner or CA determine whether certificates have been mistakenly or maliciously issued.
  • Protect users (as much as possible) from being duped by certificates that were mistakenly or maliciously issued.
Certificates would be logged, and the logs would be monitored by public servers that would periodically check to see if malicious or unauthorized certificates were being used across the net. For example, if Certificate Authority XYZ issued an unauthorized certificate for Gmail, a Certificate Transparency Monitor would detect the problem and alert Google itself. Finally, the logs and monitors would themselves be guarded by a cryptographic watchdog program, which would check to ensure that SSL certificates were properly logged and that the logs weren’t tampered with.
The other problem with the TLS/SSL system, beyond the fact that it relies on intrinsic trust, is that the system can be easily subverted. Unless certificates issued by a particular authority are revoked, those certificates can continue to be used to wreak havoc. This is why the recent Lenovo-Superfish debacle was so dangerous. Until Google, Microsoft, and Firefox updated their own software to reject the Komodo certificate, it remained available and functional — effectively end-running around any security that a website might try to provide.

Comments

Post a Comment

Popular posts from this blog

The EHang 184 Is A Human-Sized Drone Taking Off At CES

By
We’ve seen some pretty cool stuff on day 1 of CES 2016, but probably nothing more eye-catching than the EHang 184, a human-sized drone built by the Chinese UAV company  EHang . Yes you heard right — a giant autonomous drone that fits a human. It’s basically what you would expect to see if someone shrunk you down to the size of a LEGO and stuck you next to a DJI Inspire. Except no one was shrunk, and the giant flying machine was sitting smack in the middle of the CES drone section. EHang, which was founded in 2014 and has raised about $50M in venture fundingto date, was pretty gung-ho about telling everyone at CES that the 184 was the future of personal transport. And for the most part, people were too in awe to question them. But the reality is that the company probably was using the 184 as more of a marketing tool for their standard-sized drones like the  Ghost . Not that we’re saying that the 184 will never be a real thing, just that it probably isn’t co...
Post a Comment
Read more

Western Union Brings Money Transfer And Its Tricky Fees To Chat Apps

By
Remittance has always been a shady business. Migrant workers need to send money they earn home to their families, but get hit with fine print fees so less cash comes out the other side than they might assume. Remittance companies earn extra by keeping the margin between their own made up exchange rate and the real one. Western Union is the best known remittance company, with 500,000 brick-and-mortar locations around the world. But tech startups like TransferWise, Azimo, and WorldRemit are gunning for the business. They hope to increase convenience and reduce fees to lure customers away from Western Union, Moneygram, and other old-school remittance providers. So  Western Union  is going digital thanks to partnerships with big messaging apps. It launched its Western Union Connect system in October last year, followed by a partnership with WeChat for sending up to $100. Now it’s getting into bed with  Viber , which has over 664 million “unique” users, thou...
Post a Comment
Read more

NVBOTS Wants To Make 3D Printers As Easy As Toasters

By
Right now 3D printing curriculums, if they exist, are fairly sparse. Putting a two thousand dollar machine in front of a grade schooler usually ends up in a lot of 3D printed Yoda heads and not much education while the learning curve for most 3D design tools is steep. That’s what the founders of NVBOTS, AJ Perez, Forrest Pieper, Christopher Haid, and Mateo Peña Doll, are looking to solve. Their product, the  NVPRO , is a 3D printer with a few interesting features. The two most interesting are the automatic removal system which pops parts off of the build plate when they are done and a built-in print server that allows you to print from any device. This means you can run large batches of prints from different users with each part popping off as its printed. This means a class of students can send jobs to a printer and then pick them up just as they would a laser printer. The printer also supports a central “admin” who can check jobs before they are printed as and offers a ...
Post a Comment
Read more

Smart savings app Clinc is a new fintech startup from ex-CEO and founder of Numbrs

By
Last April, Julien Arnold quietly left his role as CEO of Numbrs, the mobile-first banking app he co-founded with Swiss company builder Centralway. Now, almost a year on, he’s on the verge of launching his next project:  Clinc , a mobile app to make it easier to save money for a future purchase or financial rainy day. Using what Arnold describes as a “dynamic intelligence algorithm,” Clinc promises to track your current account spending and analyse the results to find the optimum amount to save each month, which is then automatically deposited into your Clinc savings account underpinned by the startup’s partner bank. The secret sauce, which he won’t go much into detail on, is that the app is dynamic, able to make on-the-fly adjustments to how much you transfer to your savings account based on how your spending has changed or are predicted to change. In other words, Clinc’s central proposition is to help you achieve your financial goals faster. “This is the bigges...
3 comments
Read more

Following Patent Deal, Every Time Apple Sells An iPhone, Ericsson Gets A Bit Of Money

By
Telecommunications infrastructure company Ericsson just  announced  that it has reached an agreement with Apple over an ongoing patent dispute. For the next seven years, Apple will pay a fraction of its iPhone and iPad profit to Ericsson in royalties. Back in February, Ericsson filed suits in many different jurisdictions for patent infringement (the International Trade Commission, the U.S. District Court for the Eastern District of Texas, the U.S. District Court for the Northern District of California, as well as courts in the U.K., Germany and the Netherlands). According to the Swedish company, Apple has been violating 41 patents over the past few years with its iPhone and iPad, in particular patents related to GSM, UMTS and LTE technologies. As expected, the two companies have reached an agreement and Ericsson is dropping all of its lawsuits. Today’s news isn’t particularly surprising as Ericsson holds more than 35,000 patents. Many of them are related to wireles...
Post a Comment
Read more