Unauthorized certificates being used for Google domains


852951_sAccording to this post, researchers at Google have discovered that fake digital certificates are being used for several of their domains. Digital certificates, in a nutshell, are electronic documents used to verify a digital entity’s identity. That entity can be a website you connect to, a software developer you download a product from, or even another person with whom you want to establish secure communications. Digital certificates are crucial to modern day e-commerce, banking, software development and just about any other type of information sharing that gets done on the web. To learn more about digital certificates and why they’re important, see this article.

Certificates misused to create man-in-the-middle proxy

In this case, digital certificates have been issued by an intermediate certificate authority called CNNIC. The unauthorized SSL certificates are misused by a third party, who have inserted a man in the middle proxy. This is similar to the SuperFish or PrivDog scenario, only this time, no cyber criminal is required to create the proxy, it is already present as the data is already being transferred through an insecure device. Since CNNIC is a widely used vendor, the misused certificates would be trusted by most web browsers on OS X, Android and Windows.  However, Google Chrome, Firefox 33 and higher are safe. Newer versions of Google Chrome or Chromium also implement a security feature know as CRLSets which allows the browser to quickly block invalid certificates in emergency situations.

CNNIC responded by saying that they were under a contract with a company called MCS Holdings, who were supposed to only issue certificates for the domains that they had registered. It turns out though, that MCS ended up inserting a man-in-the-middle proxy instead. This means that although the connection appears to be private and secure, the data is actually transmitted through an unregistered device, which may end up giving cyber criminals unauthorized access to sensitive data such as credit card info, passwords and more. Hopefully the certificate authorities will act quickly to put an end to this issue.

Emsisoft Enterprise Security + EDR

Robust and proven endpoint security solution for organizations of all sizes. Start free trial

Have a nice (and secure) day!

Senan Conrad

Senan Conrad

Senan specializes in giving readers insight into the constantly and rapidly changing world of cybersecurity. When he’s not tapping away at his keyboard, he enjoys drinking a good coffee or tinkering in his workshop.

What to read next