Microsoft blacklists latest rogue SSL certificates, Mozilla mulls sanctions for issuer

Microsoft revoked trust in an intermediate CA certificate that was used to issue unauthorized certificates for Google websites

Microsoft has blacklisted a subordinate CA certificate that was wrongfully used to issue SSL certificates for several Google websites. The action will prevent those certificates from being used in Google website spoofing attacks against Internet Explorer users.

Microsoft's move, taken on Tuesday, came after Google reported that the China Internet Network Information Center (CNNIC), a certificate authority (CA) trusted by most browsers and operating systems, issued an intermediate certificate to an Egyptian company called MCS Holdings. The company then used it to generate SSL certificates for Google-owned websites without authorization.

An intermediate certificate gives its holder the ability to issue SSL certificates for other domain names. In other words, CNNIC delegated its certificate authority powers to MCS Holdings, transforming the latter into a subordinate CA.

MCS Holdings installed the sub-CA certificate in a firewall device with SSL/TLS traffic inspection capabilities. Such devices act as man-in-the-middle (MITM) proxies and are used by some companies to enforce their IT security policies even when employees visit HTTPS websites.

The MCS Holdings appliance used the sub-CA certificate to issue certificates for several Google domain names, and possibly other sites, allowing it to analyze SSL/TLS encrypted traffic between the company's employees and those websites.

The use of a widely trusted sub-CA certificate for such a purpose is dangerous, because if the firewall device is compromised and hackers steal the certificate, they can use it to launch website spoofing attacks against any user on the Internet.

If they want to perform MITM SSL interception on their networks, companies should use self-generated CA certificates instead and manually deploy them on all of their systems. If such certificates later get stolen, attackers would only be able to target the corresponding organizations, not users at large.

Google and Mozilla blacklisted the sub-CA certificate misused by MCS Holdings on Monday, so certificates it has signed are no longer trusted by Chrome and Firefox. Microsoft's action Tuesday extended the blacklisting to Internet Explorer and any other software program that relies on the Windows root certificate store to validate certificates.

Mozilla, which maintains its own separate list of trusted root CA certificates, is now debating whether CNNIC should be punished for issuing the intermediate certificate in the first place, as the Chinese organization appears to have done so in violation of Mozilla's policies.

In a discussion on the Mozilla Dev Security Policy mailing list, a representative of CNNIC said that the organization issued the intermediate certificate, which had a validity period of only two weeks, as a test, under an agreement that MCS Holdings will only use it to generate certificates for its own domain names.

However, regardless of whether MCS failed to respect that agreement, CNNIC does not appear to have fulfilled all requirements for subordinate CA certificates that are specified in Mozilla's CA Certificate Inclusion Policy and the CA/Browser Forum's Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates.

Both sets of guidelines require subordinate CA certificates to be either technically constrained, such that they can only be used to issue certificates for specific domain names, or be publicly disclosed and subjected to the same type of audits as root CA certificates.

The intermediate certificate issued by CNNIC met neither of those conditions, according to comments on the Mozilla mailing list. As such, discussion participants have proposed sanctions that range from completely removing CNNIC from the list of CAs trusted by Mozilla to restricting trust in CNNIC to .cn domains only.

An official decision has not yet been reached by Mozilla.

This is not the first case of subordinate CA certificates being misused. In 2013, a French national cybersecurity agency called ANSSI issued an intermediate certificate to the Treasury department of the French Ministry of Finance. That certificate was then used to issue certificates for Google domains without authorization. One year earlier, a certificate authority called Turktrust issued a certificate to the Municipality of Ankara that unintentionally had a sub-CA profile. That certificate was later installed in a firewall appliance and used for SSL traffic inspection on a local network.

Join the CSO newsletter!

Error: Please check your email address.

Tags online safetyGoogleMicrosoftMCS HoldingssecurityencryptionExploits / vulnerabilitiesChina Internet Network Information Centermozillapki

More about GoogleMicrosoftMozilla

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place