Tuesday, 24 March 2015

Google Sounds Alarm On Rogue Google certificate

Google warns Internet users to rogue Google certificate issued by a company from the United Arab Emirates and could be used to perform man-in-the-middle and phishing attacks on Internet users, so as passwords and the contents of encrypted traffic intercept. SSL certificates are used inter alia for encrypting traffic between websites and visitors and identifying websites.

The company that rogue SSL certificates issued is MCS Holdings , a so-called "intermediate" certificate authority (CA), which is linked to the Chinese CNNIC certificate authority. SSL certificates from an intermediate certificate authority originate have the full authority of the CA under which they fall. CNNIC is in all major "root certificate stores" so the Google unfairly issued certificates would be trusted by most browsers and operating systems.

Chrome on Windows, OS X and Linux, ChromeOS and Firefox 33 and newer would have refused the certificate because certificate-pinning. According to Google, there are probably also issued certificates for other websites that may not be recognized by certificate-pinning. Certificate-pinning sites may indicate by what their CA SSL certificate has been issued. The browser will then put these certificates on a whitelist. Is the website for an SSL certificate that is issued by a different CA, then turn the alarm browser. Browsers like Chrome and Firefox currently support only pinning for some great websites.


Following the fraudulent certificates, which were discovered on 20 March, Google CNNIC approached and was told that MCS Holdings only if issued certificates for domains they had registered themselves. That turned the company does not have done. MCS Holdings provides proxy appliances and firewall solutions that enable organizations of workers through the encrypted traffic can intercept self signed certificates. Should normally be set to the office computers to trust the proxy, but in this case it was not required by the wrongly issued certificates.

Google sees similarities with previously unduly certificates issued in 2013 by the French CA ANSSI . The Internet giant also denounces that CNNIC the power to create SSL certificates awarded to a company that was not suitable here. Chrome users do not have to do to be protected from rogue certificates, while Firefox users will have to wait for the arrival of Firefox 37 in which the certificate has been revoked. This version on March 31 appear.

No comments:

Post a Comment