Google spoke out this week after security engineers discovered fake SSL certificates linked to a French government agency earlier this month. On December 3rd, security engineers found that a government agency in France was using unauthorized digital certificates on various Google domains, including Gmail, which allowed the agency to act as man-in-the-middle of private domains and sites they did not own.
Google discovered that there were certificates claiming to be Google CA’s, but were, in fact, not owned by them. After Google shut down the certificate and informed the French Network and Information Security Agency, or ANSSI, of the matter, they learned that the French Treasury had been keeping a “close eye” on their employee’s browsing habits, apparently with the employees permission – but not Google’s.
SSL certificates work to verify that a website is what it says it is, binding together the domain with the organization/company and location. Once a secure connection is established, all the web traffic between server and browser is secured. The certificates are issued by either root Certificate Authorities (CA) or intermediate CA’s verified by the root CA, allowing the browser to accept their certificates.
The intermediate CA is granted the authority of the root CA and can be used to sign certificates for domain names that would be trusted in all browsers. By creating a fake certificate, the hacker can imitate a site (Google, for example,) in order to obtain information that the victim enters in, thinking it’s a legitimate site. That explains one method of Man-in-the-Middle attacks.
Man-in-the-middle attacks are a popular method of hacking, both by cybercriminals and government agencies for surveillance. The NSA, for example, has been involved in man-in-the-middle-attacks in order to circumvent SSL encryption and spy on multinational companies.
The ANSSI issued the following statement about the matter:
“As a result of a human error which was made during a process aimed at strengthening the overall IT security of the French Ministry of Finance, digital certificates related to third-party domains which do not belong to the French administration have been signed by a certification authority of the DGTrésor (Treasury).”
ANSSI went on to say that the issue did not affect the overall security and that they have preemptively revoked the certification power of the Treasury responsible for the error.
Google took the opportunity to promote their Certificate Transparency project, which is working to mend several structural flaws in the SSL certificate system, such as the chain of trust between root and intermediate CA’s. Their new recommended framework would eliminate the issue by auditing certificate’s in real-time, an that would have immediately shut down the French Treasurys’ certificates had the new framework been in place.
French Government ANSSI Responsible For A MITM Against Google SSL-TLS – Security Affairs
Further Improving Digital Certificate Security – Google Security Blog
The Certificate Transparency Project by Google
Sign up today & never miss an update from the Checkmarx blog
Interested in trying CxSAST on your own code? You can now use Checkmarx's solution to scan uncompiled / unbuilt source code in 18 coding and scripting languages and identify the vulnerable lines of code. CxSAST will even find the best-fix locations for you and suggest the best remediation techniques. Sign up for your FREE trial now.
Checkmarx is now offering you the opportunity to see how CxSAST identifies application-layer vulnerabilities in real-time. Our in-house security experts will run the scan and demonstrate how the solution's queries can be tweaked as per your specific needs and requirements. Fill in your details and we'll schedule a FREE live demo with you.