Security Experts:

Connect with us

Hi, what are you looking for?


Network Security

Google Finds Unauthorized Certificates Issued by Intermediate CA

Unauthorized certificates for several Google domains were issued earlier this month by an Egypt-based company that obtained an intermediate certificate from the China Internet Network Information Center (CNNIC), the search giant reported on Monday.

Unauthorized certificates for several Google domains were issued earlier this month by an Egypt-based company that obtained an intermediate certificate from the China Internet Network Information Center (CNNIC), the search giant reported on Monday.

CNNIC, an organization under the Cyberspace Administration of China, operates certificates included in all major root stores. This means that certificates issued by the certificate authority (CA) are trusted by every popular web browser.

The misused intermediate certificate has been revoked by CNNIC, and Google, Mozilla and Microsoft have taken steps to protect their users. Google security engineer Adam Langley has pointed out that Chrome and recent versions of Firefox would have rejected the fraudulent Google certificates because of public-key pinning. However, it is likely that misused certificates exist for other domains as well, Langley said.

“We have been working diligently on the mis-issued third-party certificates and have revoked the related Subordinate Certification Authority certificate to help ensure that our customers remain protected. Customers with automatic updates enabled do not need to take any action to remain protected. For more details refer to Security Advisory 3050995,” a Microsoft spokesperson told SecurityWeek.

According to Google, the unauthorized certificates were discovered on March 20. CNNIC told the company that the intermediate certificate used to issue the fake Google certificates was given to Egypt-based MCS Holdings, which should have used it only to issue certificates for domains that they had registered.

However, instead of storing the private key on a hardware security module, MCS installed it on a firewall device that acted as a man-in-the-middle (MitM) proxy.

“These devices intercept secure connections by masquerading as the intended destination and are sometimes used by companies to intercept their employees’ secure traffic for monitoring or legal reasons,” Langley explained in a blog post. “The employees’ computers normally have to be configured to trust a proxy for it to be able to do this. However, in this case, the presumed proxy was given the full authority of a public CA, which is a serious breach of the CA system.”

While in this case it appears that the traffic interception was limited to MCS’s internal network, such an intermediate certificate can be highly valuable for a malicious actor.

“An attacker armed with a fraudulent SSL certificate and an ability to control their victim’s network could impersonate websites in a way that would be undetectable to most users. Such certificates could deceive users into trusting websites appearing to originate from the domain owners, but actually containing malicious content or software,” Mozilla’s security team said in a blog post.

Both Google and Mozilla said they are considering taking further action.

“When similar incidents have happened in the past, responses have included requiring additional audits to confirm that the CA updated their procedures, and using name constraints to constrain the CA’s hierarchy to certain domains,” Mozilla said.

MCS Holdings could not be reached for comment.

This isn’t the first time an organization issues unauthorized certificates for Google domains. Back in 2013, the French cybersecurity agency ANSSI issued such certificates and used them for MitM attacks on a private network. The agency blamed the incident on human error.

Major browser vendors have been working over the past period on addressing certificate-related issues. Google’s Certificate Transparency project aims at fixing structural flaws in the SSL/TLS certificate system through a framework for monitoring and auditing certificates in nearly real-time.

With the release of Firefox 37, Mozilla will introduce OneCRL, a new certificate revocation feature powered by a centralized list of blocked components. With the introduction of OneCRL, Firefox users will no longer have to update or restart the web browser in order to be protected.

*Updated with statement and additional information from Microsoft

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Cybersecurity Funding

Forward Networks, a company that provides network security and reliability solutions, has raised $50 million from several investors.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Network Security

Cisco patched a high-severity SQL injection vulnerability in Unified Communications Manager (CM) and Unified Communications Manager Session Management Edition (CM SME).

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Network Security

Vulnerabilities identified in TP-Link and NetComm router models could be exploited to achieve remote code execution (RCE).