Wednesday, July 11, 2018

When A Google Engineer Found Unauthorized SSL Certificates

The thing that is most disturbing about this scam is that ‘India CCA’ (Indian Controller of Certifying Authorities) is incorporated with Microsoft Root Store because of which it is trusted by a majority of programs such as Internet Explorer and chrome.

Windows is the most common OS used by a large number of people as it supports a majority of programs. Users using Chrome on other OS than Windows like Android, IOS etc remains unaffected. Firefox also remains unmoved as it uses its own root store; therefore, SSL certificate is not required. There is a relief to other operating systems other than windows as there are no other root stores that incorporate with India CCA certificates.

The major concern kicks in when the issuer is holding a number of intermediate CA certificates that are trusted by India CCA as well as by some western companies. Although no evidence of Windows using these fake certificates has come up so far, however, an investigation is ongoing to find if there are any. This concern was brought to Indian agencies and Microsoft as a result of which all fake SSL certificates were withdrawn within few days. Required steps were taken by authorities to protect user’s information. Not only this, but India CCA is investigating the issue to find the root cause as it happened earlier too.



Certificate Transparency

Google accepts that it is a serious breach of CA system and such incidents indicate that Google’s Certificate Transparency efforts are critical for protecting the security of certificates in the future. Certificate transparency will help in:

Eliminating security flaws as it will provide an open framework to monitor and audit SSL certificate in near real time.

Detect fake SSLs.

Identifying CAs attempt to issue unauthorized SSL certificates

Pinning public key can specify authorized SSL certificates.

Issuing authorities as well as can reject fake dodge SSL certificates.


Fake Certificate Security Issues

SSL/TLS (Security Socket Layer/ Transport Layer Security) encryption systems are badly hit by this dodgy SSL certificate, which was used to secure https:// connection. Various issues that have been raised so far are listed below:

• A warning was issued by Microsoft over ‘improper issued’ SSL certificate which could have resulted in a phishing attack.

• Apple also got alerted about the critical SSL flaw in Mac OS and iOS

• Google has warned CNNIC, an intermediate certificate authority, about the issuing of unauthorized digital certificates.

No comments:

Post a Comment