Google announced on Saturday that it detected a French government agency using unauthorized digital certificates for several Google domains to perform man-in-the-middle attacks on a private network.
Google security engineer Adam Langley said the company traced the fraudulent certificates to Agence nationale de la sécurité des systèmes d’information (ANSSI), a French certificate authority that falls under the government’s cyber-security agency.
“ANSSI has found that the intermediate CA certificate was used in a commercial device, on a private network, to inspect encrypted traffic with the knowledge of the users on that network. This was a violation of their procedures and they have asked for the certificate in question to be revoked by browsers. We updated Chrome’s revocation metadata again to implement this,” Langley announced.
In a separate statement, ANSSI blamed “human error” for the incident.
From the ANSSI statement:
As a result of a human error which was made during a process aimed at strengthening the overall IT security of the French Ministry of Finance, digital certificates related to third-party domains which do not belong to the French administration have been signed by a certification authority of the DGTrésor (Treasury) which is attached to the IGC/A.
The mistake has had no consequences on the overall network security, either for the French administration or the general public. The aforementioned branch of the IGC/A has been revoked preventively.
The reinforcement of the whole IGC/A process is currently under supervision to make sure no incident of this kind will ever happen again.
Google’s Langley described the incident as a “serious breach” and warned that the company is considering additional actions. He did not elaborate.
Langley also stressed the importance of the company’s Certificate Transparency project, which attempts to fix structural flaws in the SSL certificate system.
The Certificate Transparency project works to eliminate vulnerabilities in the system by providing an open framework for monitoring and auditing SSL certificates in real time.
The goal is to detect SSL certificates that have been mistakenly issued by a certificate authority or maliciously acquired from an otherwise unimpeachable certificate authority. It also makes it possible to identify certificate authorities that have gone rogue and are maliciously issuing certificates.
Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.
More from Ryan Naraine
- Microsoft Catches Chinese .Gov Hackers Targeting US Critical Infrastructure
- Researchers Spot APTs Targeting Small Business MSPs
- Mikrotik Belatedly Patches RouterOS Flaw Exploited at Pwn2Own
- Red Hat Pushes New Tools to Secure Software Supply Chain
- Investors Make $6M Bet on Manifest for SBOM Management Technology
- Entro Raises $6M to Tackle Secrets Sprawl
- IBM Snaps up DSPM Startup Polar Security
- Huntress Closes $60M Series C for MDR Expansion
Latest News
- Industrial Giant ABB Confirms Ransomware Attack, Data Theft
- Organizations Worldwide Targeted in Rapidly Evolving Buhti Ransomware Operation
- Google Cloud Users Can Now Automate TLS Certificate Lifecycle
- Zyxel Firewalls Hacked by Mirai Botnet
- Watch Now: Threat Detection and Incident Response Virtual Summit
- NCC Group Releases Open Source Tools for Developers, Pentesters
- Memcyco Raises $10 Million in Seed Funding to Prevent Website Impersonation
- New Russia-Linked CosmicEnergy ICS Malware Could Disrupt Electric Grids
