Google has revoked trust for a digital certificate for several of its domains that was apparently mistakenly signed by a French Government intermediate certificate authority (CA) as part of a security program for France’s Ministry of Treasury.
Google has called the intermediate CA’s action a “serious breach” and has made two key changes to its certificate revocation metadata in Chrome in the past week in response to its December 3 discovery of the unauthorised digital certificate.
Although intermediate CA certificates are similar to standard SSL certificates, they can also be used to generate other SSL certificates, making them a useful weapon to anyone that wants to launch a man-in-the-middle attack on a website’s users. As Google security engineer Adam Langley noted on Saturday: “Intermediate CA certificates carry the full authority of the CA, so anyone who has one can use it to create a certificate for any website they wish to impersonate.”
Google initially revoked trust for the intermediate CA, but, as it turns out, the certificate was all a big mistake — caused by a misguided effort to improve security within France’s Ministry of Finance, which used the certificate to inspect encrypted traffic on a private network.
After discovering the unauthorised certificates, Google traced it to an intermediate CA that linked back to Agence nationale de la sécurité des systèmes d’information (ANSSI), which is both a certificate authority and the agency responsible for protecting France’s government networks.
Langley explained that Google initially updated Chrome’s certificate revocation metadata to block the intermedia CA itself and then alerted ANSSI and other browser vendors. However, on Saturday, following an explanation by ANSSI, Google amended Chrome’s revocation metadata to only block the certificate. ANSSI has asked other browser vendors to pull trust for the certificate too.
“ANSSI has found that the intermediate CA certificate was used in a commercial device, on a private network, to inspect encrypted traffic with the knowledge of the users on that network. This was a violation of their procedures and they have asked for the certificate in question to be revoked by browsers. We updated Chrome’s revocation metadata again to implement this,” wrote Lanhley.
ANSSI also released a statement on Saturday, putting the misused of the digital certificate down to “human error” and promising it won’t happen again.
“As a result of a human error which was made during a process aimed at strengthening the overall IT security of the French Ministry of Finance, digital certificates related to third-party domains which do not belong to the French administration have been signed by a certification authority of the DGTrésor (Treasury) which is attached to the IGC/A,” said ANSSI.
“The mistake has had no consequences on the overall network security, either for the French administration or the general public. The aforementioned branch of the IGC/A has been revoked preventively.”
Nonetheless, Langely pointed out that what it did was a “serious breach” and demonstrated why its own initiative Certificate Transparency (CT) was needed. According to the CT program’s website, CT is an early warning system for SSL certificates that have been mistakenly issued by a CA or maliciously acquired from rogue CAs.
According to well-known security researcher Moxie Marlinspike, a security researcher and founder of Whisper Systems, Google’s detected the rogue certificate thanks to “certificate pins” that ship with Chrome and are designed to flag bogus certificates.
“This compromise was detected by Google because they have hard-coded 'certificate pins' in Chrome which specify which CAs the browser should expect to see when connecting to Google,” wrote Marlinspike on THN.
“This type of 'pinning' is the only technique that we know of which has actually detected a CA-assisted MITM attack in the wild (a few times now). So it works really well, but only if you're running Chrome, and only if you're connecting to Google (or the few other pinned sites hardcoded in Chrome).”
While it does work, there are limitations to this method, he notes.
“It doesn't scale well because not every website can (or is willing to) hardcode their CA information in browser binaries, the pinned information has to expire at some point (otherwise you can never change your CA), sites are still vulnerable to their own CAs, and it only works in browsers which are willing to maintain this hardcoded list of pins in their client binaries.”