Brian Jackson - Fotolia

News Stay informed about the latest enterprise technology news and product updates.

Major browser makers revoke unauthorized Chinese TLS certificates

Google, Microsoft, and Mozilla have revoked unauthorized TLS certificates issued by an intermediate certificate authority that could have been used in man-in-the-middle attacks.

Major Web browser makers have revoked unauthorized TLS certificates issued by the Chinese Internet Network Information Center (CNNIC) because they could have led to man-in-the-middle attacks.

Google Inc. security engineer Adam Langley said in a blog post that the certificates were held by an intermediate certificate authority (CA), Egypt-based MCS Holdings, which operates under the CNNIC. This posed a significant risk, according to Langley, because CNNIC is included in all major root stores and the misissued certificates would be trusted by almost all browsers and operating systems. However, Chrome on Windows, OS X, and Linux, ChromeOS, and Firefox 33.0 and higher were said to be safe because public-key pinning rules would have rejected the unauthorized certificates.

Google notified the CNNIC, as well as other major browsers, and blocked the MCS Holdings certificate in Chrome by pushing an update to the CRLSet, which tracks revoked certificates. Mozilla Corp. has posted that it added the revoked certificate to OneCRL, a revocation mechanism shipping with Firefox 37, and Microsoft said it is updating its Certificate Trust list.

Microsoft's advisory noted that the improperly issued certificates could be used in man-in-the-middle (MITM) attacks, as well as spoofing or phishing attacks. According to Google and Mozilla,the vulnerability was created because CNNIC issued an unconstrained intermediate certificate, which was loaded by MCS into a firewall device acting as a MITM proxy, and a user inside their network accessed other servers, causing the firewall to issue certificates for domains that MCS did not own or control.

Langley likened the scenario to an incident from 2013 in which poor practices by ANSSI resulted in fraudulent and unauthorized certificates being issued, and Google was the only representative of the three major Web browser makers to place blame in the matter and question the efficacy of the current CA system.

"In this case, the presumed proxy was given the full authority of a public CA, which is a serious breach of the CA system," Langley wrote. "CNNIC still delegated their substantial authority to an organization that was not fit to hold it … This event also highlights, again, that the Certificate Transparency effort is critical for protecting the security of certificates in the future."

Next Steps

Learn how to detect fraudulent certificates that look real

Dig Deeper on Web browser security