Connect with us

Hi, what are you looking for?


Network Security

Google Finds Unauthorized Certificates Issued by Intermediate CA

Unauthorized certificates for several Google domains were issued earlier this month by an Egypt-based company that obtained an intermediate certificate from the China Internet Network Information Center (CNNIC), the search giant reported on Monday.

Unauthorized certificates for several Google domains were issued earlier this month by an Egypt-based company that obtained an intermediate certificate from the China Internet Network Information Center (CNNIC), the search giant reported on Monday.

CNNIC, an organization under the Cyberspace Administration of China, operates certificates included in all major root stores. This means that certificates issued by the certificate authority (CA) are trusted by every popular web browser.

The misused intermediate certificate has been revoked by CNNIC, and Google, Mozilla and Microsoft have taken steps to protect their users. Google security engineer Adam Langley has pointed out that Chrome and recent versions of Firefox would have rejected the fraudulent Google certificates because of public-key pinning. However, it is likely that misused certificates exist for other domains as well, Langley said.

“We have been working diligently on the mis-issued third-party certificates and have revoked the related Subordinate Certification Authority certificate to help ensure that our customers remain protected. Customers with automatic updates enabled do not need to take any action to remain protected. For more details refer to Security Advisory 3050995,” a Microsoft spokesperson told SecurityWeek.

According to Google, the unauthorized certificates were discovered on March 20. CNNIC told the company that the intermediate certificate used to issue the fake Google certificates was given to Egypt-based MCS Holdings, which should have used it only to issue certificates for domains that they had registered.

However, instead of storing the private key on a hardware security module, MCS installed it on a firewall device that acted as a man-in-the-middle (MitM) proxy.

“These devices intercept secure connections by masquerading as the intended destination and are sometimes used by companies to intercept their employees’ secure traffic for monitoring or legal reasons,” Langley explained in a blog post. “The employees’ computers normally have to be configured to trust a proxy for it to be able to do this. However, in this case, the presumed proxy was given the full authority of a public CA, which is a serious breach of the CA system.”

While in this case it appears that the traffic interception was limited to MCS’s internal network, such an intermediate certificate can be highly valuable for a malicious actor.

Advertisement. Scroll to continue reading.

“An attacker armed with a fraudulent SSL certificate and an ability to control their victim’s network could impersonate websites in a way that would be undetectable to most users. Such certificates could deceive users into trusting websites appearing to originate from the domain owners, but actually containing malicious content or software,” Mozilla’s security team said in a blog post.

Both Google and Mozilla said they are considering taking further action.

“When similar incidents have happened in the past, responses have included requiring additional audits to confirm that the CA updated their procedures, and using name constraints to constrain the CA’s hierarchy to certain domains,” Mozilla said.

MCS Holdings could not be reached for comment.

This isn’t the first time an organization issues unauthorized certificates for Google domains. Back in 2013, the French cybersecurity agency ANSSI issued such certificates and used them for MitM attacks on a private network. The agency blamed the incident on human error.

Major browser vendors have been working over the past period on addressing certificate-related issues. Google’s Certificate Transparency project aims at fixing structural flaws in the SSL/TLS certificate system through a framework for monitoring and auditing certificates in nearly real-time.

With the release of Firefox 37, Mozilla will introduce OneCRL, a new certificate revocation feature powered by a centralized list of blocked components. With the introduction of OneCRL, Firefox users will no longer have to update or restart the web browser in order to be protected.

*Updated with statement and additional information from Microsoft

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...