• Skip to primary navigation
  • Skip to main content
  • Skip to footer
  • Home
  • Advertise With Us
  • Contact
  • Cookie Policy
    • Privacy statement (CA)
    • Cookie policy (CA)
    • Privacy statement (UK)
    • Cookie policy (UK)
    • Privacy statement (US)
    • Do Not Sell My Personal Information
    • Privacy statement (EU)
    • Cookie policy (EU)
    • Disclaimer

TechWalls

Technology News | Gadget Reviews | Tutorials

  • Reviews
  • Tech News
  • Tech Guide
  • Gadget & Apps

Google Finds Flaw in SSL, How it Fixes the Problem

Updated on Mar 27, 2015 by Guest Authors

Creating security certificates for domains, by best practices standards, is best done when you operate the website yourself. Otherwise, you only end up breaching the SSL for that domain in the process.

This was what happened when MCS Holdings, an intermediate certificate authority, issued certificates for several Google domains. The search giant found security holes in the SSL because the intermediate authority does not run the domains in question.

ssl-google-attack

A computer receives a certificate from Google server upon contact with the server. This certificate functions as an encryption for the data being transmitted in the communication. Only when Google’s server validates the key does your PC contact with the company’s server become secure. Otherwise, the connection is vulnerable to a man-in-the-middle attack. This happens when a third party signs a certificate for the domain it does not operate, as in the case of MCS Holdings issuing certificates for the Google domains.

The role that an intermediate certificate authority plays in this process is risky, because it is prone to external intervention. What happened with the SSL that Google found flawed was that an intervening certificate authority disguised itself as a legitimate issuing authority, which means it had full authority to issue a certificate. In this case, the Chinese Internet Network Information Center is the genuine issuing authority, and MCS Holding was fake. Google lamented how come MCS Holding acquired that authority to begin with.

Part of the problem why MCS Holding obtained that level of authority is the common misconception that a certificate authority is always in the habit of giving legit certificates, free from compromise. You only have to recall that VeriSign, a popular certificate authority, has been hacked in the past to believe that not all certificate authorities are all the time issuing good certificates. That won’t be the case when their system is compromised.

So how does Google deal with it? The company has launched the Certificate Transparency project, which aims to give certificate authorities a hard time to issue SSL certificates that are invisible to the domain operator or owner. Google also wants the project to help domain owners or certificate authorities to vet the certificates through an open auditing and monitoring system and prevent third parties from deceiving users with fake certificates.

Under the initiative, public servers would keep track of the logs of certificates in order to check for malicious certificates. Then a cryptographic monitoring program will secure the logs and monitors to ascertain proper logging of certificates.

Disclosure: As an Amazon Associate, I earn from qualifying purchases. The commission help keep the rest of my content free, so thank you!

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Footer

SwitchBot Lock Review – Perfect Smart Lock for Renters

BREEZOME JH03 vs JH04 Air Purifier – Which One Should You Buy?

SwitchBot Curtain Smart Electric Motor Review – The Upgraded Version

COLORWING M08F Portable Thermal Printer Review – Requiring No Ink, Toner, or Ribbon

Follow TechWalls

YoutubeFacebookTwitterInstagram

Recent Posts

  • Premiere of the Demo of “EVOLUTION”, Tencent’s First Native Cloud Game, Leading Us to Set Off to the Real World Together
  • VANKYO Leisure 495W and Leisure 470 Pro Projector – New Full-HD Projector Series
  • SwitchBot Lock Review – Perfect Smart Lock for Renters
  • BLUETTI Father’s Day Deals – Power Gears for the Best Dad in the World

Copyright © 2022 · All Rights Reserved