Microsoft blacklists latest rogue SSL certificates, Mozilla mulls sanctions for issuer

Microsoft revoked trust in an intermediate CA certificate that was used to issue unauthorized certificates for Google websites

Microsoft has blacklisted a subordinate CA certificate that was wrongfully used to issue SSL certificates for several Google websites. The action will prevent those certificates from being used in Google website spoofing attacks against Internet Explorer users.

Microsoft's move, taken on Tuesday, came after Google reported that the China Internet Network Information Center (CNNIC), a certificate authority (CA) trusted by most browsers and operating systems, issued an intermediate certificate to an Egyptian company called MCS Holdings. The company then used it to generate SSL certificates for Google-owned websites without authorization.

An intermediate certificate gives its holder the ability to issue SSL certificates for other domain names. In other words, CNNIC delegated its certificate authority powers to MCS Holdings, transforming the latter into a subordinate CA.

MCS Holdings installed the sub-CA certificate in a firewall device with SSL/TLS traffic inspection capabilities. Such devices act as man-in-the-middle (MITM) proxies and are used by some companies to enforce their IT security policies even when employees visit HTTPS websites.

The MCS Holdings appliance used the sub-CA certificate to issue certificates for several Google domain names, and possibly other sites, allowing it to analyze SSL/TLS encrypted traffic between the company's employees and those websites.

The use of a widely trusted sub-CA certificate for such a purpose is dangerous, because if the firewall device is compromised and hackers steal the certificate, they can use it to launch website spoofing attacks against any user on the Internet.

If they want to perform MITM SSL interception on their networks, companies should use self-generated CA certificates instead and manually deploy them on all of their systems. If such certificates later get stolen, attackers would only be able to target the corresponding organizations, not users at large.

Google and Mozilla blacklisted the sub-CA certificate misused by MCS Holdings on Monday, so certificates it has signed are no longer trusted by Chrome and Firefox. Microsoft's action Tuesday extended the blacklisting to Internet Explorer and any other software program that relies on the Windows root certificate store to validate certificates.

Mozilla, which maintains its own separate list of trusted root CA certificates, is now debating whether CNNIC should be punished for issuing the intermediate certificate in the first place, as the Chinese organization appears to have done so in violation of Mozilla's policies.

In a discussion on the Mozilla Dev Security Policy mailing list, a representative of CNNIC said that the organization issued the intermediate certificate, which had a validity period of only two weeks, as a test, under an agreement that MCS Holdings will only use it to generate certificates for its own domain names.

However, regardless of whether MCS failed to respect that agreement, CNNIC does not appear to have fulfilled all requirements for subordinate CA certificates that are specified in Mozilla's CA Certificate Inclusion Policy and the CA/Browser Forum's Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates.

Both sets of guidelines require subordinate CA certificates to be either technically constrained, such that they can only be used to issue certificates for specific domain names, or be publicly disclosed and subjected to the same type of audits as root CA certificates.

The intermediate certificate issued by CNNIC met neither of those conditions, according to comments on the Mozilla mailing list. As such, discussion participants have proposed sanctions that range from completely removing CNNIC from the list of CAs trusted by Mozilla to restricting trust in CNNIC to .cn domains only.

An official decision has not yet been reached by Mozilla.

This is not the first case of subordinate CA certificates being misused. In 2013, a French national cybersecurity agency called ANSSI issued an intermediate certificate to the Treasury department of the French Ministry of Finance. That certificate was then used to issue certificates for Google domains without authorization. One year earlier, a certificate authority called Turktrust issued a certificate to the Municipality of Ankara that unintentionally had a sub-CA profile. That certificate was later installed in a firewall appliance and used for SSL traffic inspection on a local network.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags MicrosoftGoogleencryptionmozillaonline safetypkiChina Internet Network Information CenterExploits / vulnerabilitiesMCS Holdings

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Laura Johnston

MSI GS65 Stealth Thin

If you can afford the price tag, it is well worth the money. It out performs any other laptop I have tried for gaming, and the transportable design and incredible display also make it ideal for work.

Andrew Teoh

Brother MFC-L9570CDW Multifunction Printer

Touch screen visibility and operation was great and easy to navigate. Each menu and sub-menu was in an understandable order and category

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Featured Content

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?