• Skip to primary navigation
  • Skip to main content
  • Skip to footer
  • Home
  • Advertise With Us
  • Contact
  • Cookie Policy
    • Privacy statement (CA)
    • Cookie policy (CA)
    • Privacy statement (UK)
    • Cookie policy (UK)
    • Privacy statement (US)
    • Cookie Policy (US)
    • Privacy statement (EU)
    • Cookie policy (EU)
    • Disclaimer

TechWalls

Technology News | Gadget Reviews | Tutorials

  • Reviews
  • Tech Guide
  • Home Improvement
  • Gadget & Apps
  • News

Google Finds Flaw in SSL, How it Fixes the Problem

Updated on Mar 27, 2015 by Guest Authors

Creating security certificates for domains, by best practices standards, is best done when you operate the website yourself. Otherwise, you only end up breaching the SSL for that domain in the process.

This was what happened when MCS Holdings, an intermediate certificate authority, issued certificates for several Google domains. The search giant found security holes in the SSL because the intermediate authority does not run the domains in question.

ssl-google-attack

A computer receives a certificate from Google server upon contact with the server. This certificate functions as an encryption for the data being transmitted in the communication. Only when Google’s server validates the key does your PC contact with the company’s server become secure. Otherwise, the connection is vulnerable to a man-in-the-middle attack. This happens when a third party signs a certificate for the domain it does not operate, as in the case of MCS Holdings issuing certificates for the Google domains.

The role that an intermediate certificate authority plays in this process is risky, because it is prone to external intervention. What happened with the SSL that Google found flawed was that an intervening certificate authority disguised itself as a legitimate issuing authority, which means it had full authority to issue a certificate. In this case, the Chinese Internet Network Information Center is the genuine issuing authority, and MCS Holding was fake. Google lamented how come MCS Holding acquired that authority to begin with.

Part of the problem why MCS Holding obtained that level of authority is the common misconception that a certificate authority is always in the habit of giving legit certificates, free from compromise. You only have to recall that VeriSign, a popular certificate authority, has been hacked in the past to believe that not all certificate authorities are all the time issuing good certificates. That won’t be the case when their system is compromised.

So how does Google deal with it? The company has launched the Certificate Transparency project, which aims to give certificate authorities a hard time to issue SSL certificates that are invisible to the domain operator or owner. Google also wants the project to help domain owners or certificate authorities to vet the certificates through an open auditing and monitoring system and prevent third parties from deceiving users with fake certificates.

Under the initiative, public servers would keep track of the logs of certificates in order to check for malicious certificates. Then a cryptographic monitoring program will secure the logs and monitors to ascertain proper logging of certificates.

Disclosure: We might earn commission from qualifying purchases. The commission help keep the rest of my content free, so thank you!

Footer

Review of the Waterpik Evolution and Nano Water Flosser Combo Pack

Transparent Shaving: The yoose ICE Electric Shaver Review

INKBIRD IBS-TH5 Review – Smart Thermo Hygrometer with E-Ink Display

LISEN MagSafe CD Phone Holder for Car Review

Follow TechWalls

YoutubeFacebookTwitterInstagram

Recent Posts

  • Review of the Waterpik Evolution and Nano Water Flosser Combo Pack
  • Transparent Shaving: The yoose ICE Electric Shaver Review
  • The Hidden Cost of Cryptocurrency: Bitcoin’s Energy and Water Footprint
  • Free Places To Sleep Inside Hong Kong Airport During Long Transits

Copyright © 2023 · All Rights Reserved

Manage Cookie Consent
We use technologies like cookies to store and/or access device information. We do this to improve browsing experience and to show personalized ads. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional cookies Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
Manage options Manage services Manage {vendor_count} vendors Read more about these purposes
View preferences
{title} {title} {title}