Google has revealed via a blog post that there have been unauthorized digital certificates for several Google domains, which can cause security breaches online. Data interception is the major reason for concerns and this is why the vulnerability of the digital certificates has become known to the public.
MCS Holdings is the company that holds the certificate authority for the flawed and non-authorized digital certificates, while CNNIC is the one issuing the intermediate certificate in question. The bad news is that CNNIC has been included in all the biggest root stores online and as a result almost all browsers and OS could be exploited by the lack of authorization. On the bright side, though, it seems that Chrome on Windows, OS X, and Linux, Chrome OS, as well as Firefox 33 and greater include public-key pinning. This security feature that was introduced in 2011 has actually made the OS able to automatically reject something that is identified as flawed or unoriginal.
On behalf of Google, MCS Holdings has already been blocked and CNNIC has been thoroughly informed of the urgent matter that has emerged. As far as the communication between the two companies (meaning Google and CNNIC) has been characterized by the former as satisfactory, since the reasoning that the latter has given regarding MCS Holdings has been just and consistent. More specifically, Adam Langley from the Security Department of Google has backed up the claims of CNNIC. However, he did highlight the fact that an organization that did not live up to the task was given authority to act with potential harm to Internet users.
As to the extent of the damage, Adam Langley has stated: “Chrome users do not need to take any action to be protected by the CRLSet updates. We have no indication of abuse and we are not suggesting that people change passwords or take other action. At this time we are considering what further actions are appropriate.”
This is another incident that brings to light the deficiencies of the cyberspace in terms of online security. Even though HTTPS have been regarded as perfectly secure for someone to navigate, it looks like there are enough loopholes to keep everyone agitated. According to Google and the same blog post, the recent incident is another eloquent proof of the need for Certificate Transparency.
From their official site, we read the following as to the use and effectiveness of this project: “Google’s Certificate Transparency project fixes several structural flaws in the SSL certificate system, which is the main cryptographic system that underlies all HTTPS connections. These flaws weaken the reliability and effectiveness of encrypted Internet connections and can compromise critical TLS/SSL mechanisms, including domain validation, end-to-end encryption, and the chains of trust set up by certificate authorities. If left unchecked, these flaws can facilitate a wide range of security attacks, such as website spoofing, server impersonation, and man-in-the-middle attacks.”
So, it is true that Certificate Transparency appears to be a powerful means of protection online. Even for TLS/SSL security protocols, using alternative methods can still lead to man-in-the-middle attacks and hacking or data interception. Although there is no need for somebody to lose sleep over the recent unauthorized digital certificates, it is definitely food for thought!