Unauthorized Security Certificates Found Trusted By Nearly All Devices
Google security engineer Adam Langley in the Google Online Security Blog posted that unauthorized digital certificates have once again been created by a legitimate certificate authority. Digital certificates are used to protect sensitive communications on the Internet. When you see the locked paddle lock while going to a HTTPS:// website a digital certificate is keeping your communications private. This has happened at least three other times and is a result of a trust based system that has not been fixed to address this and other security concerns.
This unauthorized issue of certificates resulted in several Google domains becoming vulnerable to man in the middle attacks. The company that issued the unauthorized digital certificates is MCS Holdings based out of Cairo, Egypt. MCS was granted authority to publish certificates by China Internet Network Information Center (CNNIC). The CNNIC is a root certificate that is found in almost all browsers and operating systems and is why this unauthorized certificate has such far reach. It is acceptable practice for MCS Holdings to be able to issue certificates for web sites MCS has registered. What MCS Holdings did was issue a certificate to a man-in-the-middle (MitM) proxy giving that proxy the full authority and trust as a public certificate authority. This means any device that connected to and communicated through this unauthorized MitM proxy could have had all communications intercepted by an untrusted third party.
Google has published an update that has revoked the unauthorized certificates making the ChromeOS and Chrome web browser not vulnerable. Other vendors should soon follow so the best thing a user can do to stay safe is make sure patches are up to date.
Google Online Security Blog link: http://googleonlinesecurity.blogspot.com/2015/03/maintaining-digital-certificate-security.html