As per the latest Google news, it has come across a new security hole in SSL. The transitional certificate authority issued unauthorized certificates for Google domains. In spite of not holding the domains itself, MSC Holdings issued the certificates for Google domains and that is where the problem arose.
SSL functionality breaks when the companies mint the certificates for the websites they don’t operate and therefore is a critical scenario. Let’s go through how the SSL system is supposed to function:
The PC links to a Google server which shall send it a certificate. The data session is encrypted by your machine via using that certificate. The server, in return, sends confirmation about the key being good and the secure session with your machine is built. Third parties, signing the certificates grants false server to perform Man-in-the-middle-attack.
As far as man-in-the-middle attack is concerned, a superseding Certificate Authority (CA) pretends to be a legit certificate issuing authority and that is exactly what has happened in this current situation. This isn’t an ideal situation and should not happen, as per the Google news, it has pointed out that the authenticate CA; CNNIC shouldn’t have given this authority to MCS Holdings.
In addition to the bugs in SSL system, the major faulty assumption is that it depends on the fact that CAs will be issuing good or legit certificates only. If we go through the history, we will come across of the fact that this isn’t true. There have been several Certificate Authorities being hacked. It includes companies like DigiNotar and VeriSign.
Latest Google news reports that it wants to revamp the certificate issuing process, the name of the project is Certificate Transparency initiative. It would be doing the following things in order to make the certificate issuing process transparent and legit:
- Adding preventive layers in the process by making the process of issuing the certificate impossible or at least extremely difficult without it being noticeable to the domain owner.
- An exposed monitoring and auditing system that will provide the ability to CA or domain owner to examine the certificates whether they have been issued by mistake or maliciously.
- To protect the users from being tricked by the certificates that had been mistakenly or deliberately issued.
The certificates are supposed to be logged and that data shall be monitored by public servers. These servers will be checking for any malicious or mistaken certificate issued with the regular interval of time. If, for instance, Certificate Authority ABC issued a wrong certificate for Gmail, Certificate Transparency Monitor will detect this and alert the company. In order to check whether the logs had been tampered with or are improper maintenance of SSL certificates had been done, a cryptographic watchdog program will be maintained.