Creating security certificates for domains, by best practices standards, is best done when you operate the website yourself. Otherwise, you only end up breaching the SSL for that domain in the process.
This was what happened when MCS Holdings, an intermediate certificate authority, issued certificates for several Google domains. The search giant found security holes in the SSL because the intermediate authority does not run the domains in question.
A computer receives a certificate from Google server upon contact with the server. This certificate functions as an encryption for the data being transmitted in the communication. Only when Google’s server validates the key does your PC contact with the company’s server become secure. Otherwise, the connection is vulnerable to a man-in-the-middle attack. This happens when a third party signs a certificate for the domain it does not operate, as in the case of MCS Holdings issuing certificates for the Google domains.
The role that an intermediate certificate authority plays in this process is risky, because it is prone to external intervention. What happened with the SSL that Google found flawed was that an intervening certificate authority disguised itself as a legitimate issuing authority, which means it had full authority to issue a certificate. In this case, the Chinese Internet Network Information Center is the genuine issuing authority, and MCS Holding was fake. Google lamented how come MCS Holding acquired that authority to begin with.
Part of the problem why MCS Holding obtained that level of authority is the common misconception that a certificate authority is always in the habit of giving legit certificates, free from compromise. You only have to recall that VeriSign, a popular certificate authority, has been hacked in the past to believe that not all certificate authorities are all the time issuing good certificates. That won’t be the case when their system is compromised.
So how does Google deal with it? The company has launched the Certificate Transparency project, which aims to give certificate authorities a hard time to issue SSL certificates that are invisible to the domain operator or owner. Google also wants the project to help domain owners or certificate authorities to vet the certificates through an open auditing and monitoring system and prevent third parties from deceiving users with fake certificates.
Under the initiative, public servers would keep track of the logs of certificates in order to check for malicious certificates. Then a cryptographic monitoring program will secure the logs and monitors to ascertain proper logging of certificates.
Leave a Reply