An Egyptian networking and security company in Cairo accidentally issued unauthorized digital certificates for several Google Web domains earlier this month, temporarily putting the domains at risk of being spoofed.
Google detected the unauthorized certificates on March 20 and has since blocked the bogus certificates to eliminate the risk, Google security engineer Adam Langley said in a blog post Monday.
The certificates no longer pose a threat for Chrome users, Langley said. “We have no indication of abuse and we are not suggesting that people change passwords or take other action,” he wrote.
Microsoft and Mozilla also took steps to neutralize the risk of the certificates compromising the security of people using Internet Explorer and Firefox browsers to visit the Google domains covered by the illegal digital certificates.
Browsers rely on digital certificates to encrypt communications and to authenticate the identity of clients and servers on the Web. Someone with a fake or unauthorized digital certificate can use it to spoof a legitimate domain and intercept communications to and from that domain.
Problems involving digital certificates are not all that uncommon. Google has even launched a project called the Certificate Transparency project with the goal of resolving some of the basic security weaknesses in the security certificate system.
In this particular instance, the unauthorized digital certificates resulted from what appears to have been the mishandling of an intermediate digital certificate by Cairo-based MCS Holdings, Langley said.
China Internet Network Information Center (CNNIC), a non-profit organization and root Certificate Authority had issued the intermediate certificate to MCS, which is one of its customers.
“[CNNIC] contracted with MCS Holdings on the basis that MCS would only issue certificates for domains that they had registered,” Langley said. But instead of storing the intermediate certificate in a suitable hardware security module, MCS loaded it on a man-in-the-middle proxy server of the type typically used to intercept and monitor employee traffic, he said.
That error led to the proxy server eventually issuing digital certificates for domains that MCS Holdings did not own or control, Mozilla said in its blog.
“An attacker armed with a fraudulent SSL certificate and an ability to control their victim’s network could impersonate websites in a way that would be undetectable to most users,” Mozilla said. “Such certificates could deceive users into trusting websites appearing to originate from the domain owners, but actually containing malicious content or software.”
Langley described MCS’ handling of the intermediate certificate as a serious breach of the certificate authority system. The situation is similar to an incident in 2013 when French certificate authority ANSSI mistakenly issued digital certificates for multiple Google domains in the same manner that MCS did, he noted.
In that incident too, the certificates were accidentally issued when ANSSI used an intermediate certificate on an insecure commercial server connected to a private network, Langley said.
In response to the latest security breach, Google immediately blocked the MCS intermediate certificate in Chrome and alerted CNNIC and the other major browsers of the issue.
Microsoft’s alert noted that the company is aware of the improperly issued digital certificates from MCS Holdings, which it said could be used to spoof content and carrying out phishing or man-in-the-middle attacks. Microsoft has revoked MCS’ intermediate certificate to protect Internet users against such threats, the company noted.
Mozilla meanwhile recommended that Firefox users make sure they have installed latest version of the operating system.