Microsoft blacklists latest rogue SSL certificates, Mozilla mulls sanctions for issuer

Microsoft revoked trust in an intermediate CA certificate that was used to issue unauthorized certificates for Google websites

Microsoft has blacklisted a subordinate CA certificate that was wrongfully used to issue SSL certificates for several Google websites. The action will prevent those certificates from being used in Google website spoofing attacks against Internet Explorer users.

Microsoft's move, taken on Tuesday, came after Google reported that the China Internet Network Information Center (CNNIC), a certificate authority (CA) trusted by most browsers and operating systems, issued an intermediate certificate to an Egyptian company called MCS Holdings. The company then used it to generate SSL certificates for Google-owned websites without authorization.

An intermediate certificate gives its holder the ability to issue SSL certificates for other domain names. In other words, CNNIC delegated its certificate authority powers to MCS Holdings, transforming the latter into a subordinate CA.

MCS Holdings installed the sub-CA certificate in a firewall device with SSL/TLS traffic inspection capabilities. Such devices act as man-in-the-middle (MITM) proxies and are used by some companies to enforce their IT security policies even when employees visit HTTPS websites.

The MCS Holdings appliance used the sub-CA certificate to issue certificates for several Google domain names, and possibly other sites, allowing it to analyze SSL/TLS encrypted traffic between the company's employees and those websites.

The use of a widely trusted sub-CA certificate for such a purpose is dangerous, because if the firewall device is compromised and hackers steal the certificate, they can use it to launch website spoofing attacks against any user on the Internet.

If they want to perform MITM SSL interception on their networks, companies should use self-generated CA certificates instead and manually deploy them on all of their systems. If such certificates later get stolen, attackers would only be able to target the corresponding organizations, not users at large.

Google and Mozilla blacklisted the sub-CA certificate misused by MCS Holdings on Monday, so certificates it has signed are no longer trusted by Chrome and Firefox. Microsoft's action Tuesday extended the blacklisting to Internet Explorer and any other software program that relies on the Windows root certificate store to validate certificates.

Mozilla, which maintains its own separate list of trusted root CA certificates, is now debating whether CNNIC should be punished for issuing the intermediate certificate in the first place, as the Chinese organization appears to have done so in violation of Mozilla's policies.

In a discussion on the Mozilla Dev Security Policy mailing list, a representative of CNNIC said that the organization issued the intermediate certificate, which had a validity period of only two weeks, as a test, under an agreement that MCS Holdings will only use it to generate certificates for its own domain names.

However, regardless of whether MCS failed to respect that agreement, CNNIC does not appear to have fulfilled all requirements for subordinate CA certificates that are specified in Mozilla's CA Certificate Inclusion Policy and the CA/Browser Forum's Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates.

Both sets of guidelines require subordinate CA certificates to be either technically constrained, such that they can only be used to issue certificates for specific domain names, or be publicly disclosed and subjected to the same type of audits as root CA certificates.

The intermediate certificate issued by CNNIC met neither of those conditions, according to comments on the Mozilla mailing list. As such, discussion participants have proposed sanctions that range from completely removing CNNIC from the list of CAs trusted by Mozilla to restricting trust in CNNIC to .cn domains only.

An official decision has not yet been reached by Mozilla.

This is not the first case of subordinate CA certificates being misused. In 2013, a French national cybersecurity agency called ANSSI issued an intermediate certificate to the Treasury department of the French Ministry of Finance. That certificate was then used to issue certificates for Google domains without authorization. One year earlier, a certificate authority called Turktrust issued a certificate to the Municipality of Ankara that unintentionally had a sub-CA profile. That certificate was later installed in a firewall appliance and used for SSL traffic inspection on a local network.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags online safetyGoogleMicrosoftMCS HoldingssecurityencryptionExploits / vulnerabilitiesChina Internet Network Information Centermozillapki

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Matthew Stivala

HP OfficeJet 250 Mobile Printer

The HP OfficeJet 250 Mobile Printer is a great device that fits perfectly into my fast paced and mobile lifestyle. My first impression of the printer itself was how incredibly compact and sleek the device was.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?