Google announced on Saturday that it detected a French government agency using unauthorized digital certificates for several Google domains to perform man-in-the-middle attacks on a private network.
Google security engineer Adam Langley said the company traced the fraudulent certificates to Agence nationale de la sécurité des systèmes d’information (ANSSI), a French certificate authority that falls under the government’s cyber-security agency.
“ANSSI has found that the intermediate CA certificate was used in a commercial device, on a private network, to inspect encrypted traffic with the knowledge of the users on that network. This was a violation of their procedures and they have asked for the certificate in question to be revoked by browsers. We updated Chrome’s revocation metadata again to implement this,” Langley announced.
In a separate statement, ANSSI blamed “human error” for the incident.
From the ANSSI statement:
As a result of a human error which was made during a process aimed at strengthening the overall IT security of the French Ministry of Finance, digital certificates related to third-party domains which do not belong to the French administration have been signed by a certification authority of the DGTrésor (Treasury) which is attached to the IGC/A.
The mistake has had no consequences on the overall network security, either for the French administration or the general public. The aforementioned branch of the IGC/A has been revoked preventively.
The reinforcement of the whole IGC/A process is currently under supervision to make sure no incident of this kind will ever happen again.
Google’s Langley described the incident as a “serious breach” and warned that the company is considering additional actions. He did not elaborate.
Langley also stressed the importance of the company’s Certificate Transparency project, which attempts to fix structural flaws in the SSL certificate system.
The Certificate Transparency project works to eliminate vulnerabilities in the system by providing an open framework for monitoring and auditing SSL certificates in real time.
The goal is to detect SSL certificates that have been mistakenly issued by a certificate authority or maliciously acquired from an otherwise unimpeachable certificate authority. It also makes it possible to identify certificate authorities that have gone rogue and are maliciously issuing certificates.