Friday, 27 March 2015

Egyptian Company: Google Rogue Certificates Were Mistake

The Egyptian company that had generated rogue SSL certificates for different websites from Google calls it a mistake that Google eventually discovered the certificates and hit alarm . Indeed, it was not intended that the certificates were discovered. This week, Google warned Internet users to rogue Google certificates generated by the Egyptian MCS Holding. Through the certificates could allow an attacker to Man-in-the-middle and phishing attacks on Internet users to intercept passwords and the contents of encrypted traffic.

MCS Holding is an Egyptian security company that delivers business networking. However, it had become a so-called "intermediate" certificate authority (CA), which was linked to the Chinese certificate authority CNNIC. SSL certificates from an intermediate certificate authority originate have the full authority of the CA under which they fall. In particular, Mozilla had great criticism of CNNIC that MCS Holding had given permission to the intermediate CA to generate SSL certificates.

The Egyptian company said in a statement that it had signed an agreement with CNNIC to a two-week period intermediate CA to act. This would be necessary for the testing of a new roll from cloud service. The test took place in a secure lab where the private key of the CA certifcate, to generate SSL certificates, stored in a firewall.

However, the firewall was set to automatically generate certificates for websites that were visited on the Internet. During an unguarded moment at the weekend would be one of the IT engineers decided to use the internet with Google Chrome. Chrome offers certificate pinning, which websites can indicate what their CA SSL certificate has been issued. The browser will then put these certificates on a whitelist.

Is the website for an SSL certificate that is issued by a different CA, then turn the alarm browser. After MCS Holding by CNNIC had informed the certificate was immediately removed from the firewall and warned all parties involved. According to the Egyptian company, it is a human error which inadvertently took place. "We have no evidence of abuse, and we therefore recommend that people will not change their password or other action," said a company spokesman.


Meanwhile, Google has revoked the intermediate certificate of MCS Holding and also a Microsoft update released under Windows Users. From the description of the software giant appears that certificates for domains *. , * , *. , *. , , .com and *. were created. Firefox comes next week with an update to revoke the certificate.

On the mailing list of Mozilla developers after the incident a heated debate erupted or CNNIC is not guilty because it would have violated all sorts of rules. While some want CNNIC is removed from the root store of Firefox. Mozilla could do this then this can have very serious consequences, especially for Chinese Firefox users, thereby HTTPS sites with SSL certificates of CNNIC and suspended beneath intermediate CAs can not visit. The Chinese CA Mozilla has therefore asked not to remove it from the root store CNNIC.

No comments:

Post a Comment