Google is holding the Chinese government ultimately responsible for allowing the issue of unauthorized TLS certificates for several of its domains which were subsequently used in man-in-the-middle (MITM) attacks.
The false digital certificates were trusted by all major operating systems and browsers, although Firefox 33 and above and Chrome on Windows, OS X, and Linux, and ChromeOS were safe thanks to public key pinning, Google security engineer, Adam Langley, said in a blog post.
The rogue certs were issued by an intermediate certificate authority (CA), Egypt-based MCS Holdings, which operates under the Chinese Internet Network Information Center (CNNIC).
The CNNIC administrates China’s domain name registry, including the .cn TLD, and as such is included in all root stores for nearly all operating systems and browsers – hence the seriousness of the breach of rules found by Google.
Although technically a non-profit, CNNIC is overseen by the Cyberspace Administration of China (CAC), a controversial government agency directed by propaganda supremo Lu Wei – who has a direct line into president Xi Jinping.
Although Google fell short of laying the blame for the MITM attack directly at Beijing’s feet, it claimed: “CNNIC still delegated their substantial authority to an organization that was not fit to hold it.”
Google’s explained exactly what happened from a technical point of view after it discovered the incident and alerted CNNIC and other browser makers:
“CNNIC responded on the 22nd to explain that they had contracted with MCS Holdings on the basis that MCS would only issue certificates for domains that they had registered. However, rather than keep the private key in a suitable HSM, MCS installed it in a man-in-the-middle proxy. These devices intercept secure connections by masquerading as the intended destination and are sometimes used by companies to intercept their employees’ secure traffic for monitoring or legal reasons. The employees’ computers normally have to be configured to trust a proxy for it to be able to do this. However, in this case, the presumed proxy was given the full authority of a public CA, which is a serious breach of the CA system.”
Mozilla and Microsoft both responded to the news with announcements of their own.
The Firefox-maker said it would be banning the revoked intermediate certificate permanently as of version 37 of the browser.
It added:
“Additional action regarding this CA will be discussed in the mozilla.dev.security.policy forum. When similar incidents have happened in the past, responses have included requiring additional audits to confirm that the CA updated their procedures, and using name constraints to constrain the CA’s hierarchy to certain domains.”
Microsoft said it is updating its Certificate Trust list to remove the trust of the “subordinate CA certificate.”
Kevin Bocek, VP of security strategy and threat intelligence at crypto key security firm Venafi, argued that the revelations are likely to be just “the tip of the iceberg.”
“CNNIC is included in all browsers, smartphones, and tablets. The laptop on your desk and mobile phone in your pocket trust the Chinese government – the same government conducting cyber espionage on a daily basis against US companies and government agencies,” he said.
“This is shocking to many. Even more shocking is that the same devices trust over 200 CAs from around the world. This discovery is another wake-up call that we cannot place blind trust in certificates anymore.”
Charlie Smith, co-founder of anti-censorship body Greatfire.org, argued the revelations proved CNNIC and CAC were behind a string of high profile MITM attacks on Outlook, iCloud, Yahoo and GitHub dating back over two years.
“Previously we asked: How many more times are foreign internet firms willing to stand idle on the sidelines while their customers in China, numbering in the hundreds of millions, are being put in grave danger every time they use their products?” he said in an emailed statement.
“Well, we now have an answer to that question as Google, Microsoft and Mozilla all made public statements yesterday about CAC's dangerous actions. As usual, Apple has remained silent.”
Smith repeated his calls for the tech giants in question to take action beyond mere statements.
“CNNIC is still trusted by these platforms and the Chinese authority can sign other intermediate certificates in order to launch future MITM attacks,” he warned.
“We once again call for Google, Mozilla, Microsoft and Apple to revoke trust for CNNIC immediately in order to protect Chinese user data and user data worldwide.”