Microsoft blacklists latest rogue SSL certificates, Mozilla mulls sanctions for issuer

Microsoft revoked trust in an intermediate CA certificate that was used to issue unauthorized certificates for Google websites

Microsoft has blacklisted a subordinate CA certificate that was wrongfully used to issue SSL certificates for several Google websites. The action will prevent those certificates from being used in Google website spoofing attacks against Internet Explorer users.

Microsoft's move, taken on Tuesday, came after Google reported that the China Internet Network Information Center (CNNIC), a certificate authority (CA) trusted by most browsers and operating systems, issued an intermediate certificate to an Egyptian company called MCS Holdings. The company then used it to generate SSL certificates for Google-owned websites without authorization.

An intermediate certificate gives its holder the ability to issue SSL certificates for other domain names. In other words, CNNIC delegated its certificate authority powers to MCS Holdings, transforming the latter into a subordinate CA.

MCS Holdings installed the sub-CA certificate in a firewall device with SSL/TLS traffic inspection capabilities. Such devices act as man-in-the-middle (MITM) proxies and are used by some companies to enforce their IT security policies even when employees visit HTTPS websites.

The MCS Holdings appliance used the sub-CA certificate to issue certificates for several Google domain names, and possibly other sites, allowing it to analyze SSL/TLS encrypted traffic between the company's employees and those websites.

The use of a widely trusted sub-CA certificate for such a purpose is dangerous, because if the firewall device is compromised and hackers steal the certificate, they can use it to launch website spoofing attacks against any user on the Internet.

If they want to perform MITM SSL interception on their networks, companies should use self-generated CA certificates instead and manually deploy them on all of their systems. If such certificates later get stolen, attackers would only be able to target the corresponding organizations, not users at large.

Google and Mozilla blacklisted the sub-CA certificate misused by MCS Holdings on Monday, so certificates it has signed are no longer trusted by Chrome and Firefox. Microsoft's action Tuesday extended the blacklisting to Internet Explorer and any other software program that relies on the Windows root certificate store to validate certificates.

Mozilla, which maintains its own separate list of trusted root CA certificates, is now debating whether CNNIC should be punished for issuing the intermediate certificate in the first place, as the Chinese organization appears to have done so in violation of Mozilla's policies.

In a discussion on the Mozilla Dev Security Policy mailing list, a representative of CNNIC said that the organization issued the intermediate certificate, which had a validity period of only two weeks, as a test, under an agreement that MCS Holdings will only use it to generate certificates for its own domain names.

However, regardless of whether MCS failed to respect that agreement, CNNIC does not appear to have fulfilled all requirements for subordinate CA certificates that are specified in Mozilla's CA Certificate Inclusion Policy and the CA/Browser Forum's Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates.

Both sets of guidelines require subordinate CA certificates to be either technically constrained, such that they can only be used to issue certificates for specific domain names, or be publicly disclosed and subjected to the same type of audits as root CA certificates.

The intermediate certificate issued by CNNIC met neither of those conditions, according to comments on the Mozilla mailing list. As such, discussion participants have proposed sanctions that range from completely removing CNNIC from the list of CAs trusted by Mozilla to restricting trust in CNNIC to .cn domains only.

An official decision has not yet been reached by Mozilla.

This is not the first case of subordinate CA certificates being misused. In 2013, a French national cybersecurity agency called ANSSI issued an intermediate certificate to the Treasury department of the French Ministry of Finance. That certificate was then used to issue certificates for Google domains without authorization. One year earlier, a certificate authority called Turktrust issued a certificate to the Municipality of Ankara that unintentionally had a sub-CA profile. That certificate was later installed in a firewall appliance and used for SSL traffic inspection on a local network.

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Tags online safetyGoogleMicrosoftMCS HoldingssecurityencryptionExploits / vulnerabilitiesChina Internet Network Information Centermozillapki

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Essentials

Lexar® JumpDrive® S57 USB 3.0 flash drive

Learn more >

Microsoft L5V-00027 Sculpt Ergonomic Keyboard Desktop

Learn more >

Mobile

Lexar® JumpDrive® S45 USB 3.0 flash drive 

Learn more >

Exec

Lexar® Professional 1800x microSDHC™/microSDXC™ UHS-II cards 

Learn more >

HD Pan/Tilt Wi-Fi Camera with Night Vision NC450

Learn more >

Audio-Technica ATH-ANC70 Noise Cancelling Headphones

Learn more >

Lexar® JumpDrive® C20c USB Type-C flash drive 

Learn more >

Budget

Back To Business Guide

Click for more ›

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?