« | Home | Recent Comments | Categories | »

X509

Posted on July 14th, 2014 at 13:37 by John Sinteur in category: Do you feel safer yet?, Google -- Write a comment

[Quote]:

Shortly after the initial news came out that NSA fakes google and yahoo servers with stolen or faked certificates:

https://www.schneier.com/blog/archives/2013/09/new_nsa_leak_sh.html

the german computer magazine C’T issued a warning that it is a security risk, when microsoft automatically updates its list of certificates without any noticing of the users, so that dubious certificates could easily get into the windows certificate list, which is thrusted by webbrowsers like internet explorer or google chrome for windows:

http://www.heise.de/ct/artikel/Microsofts-Hintertuer-1921730.html

After reading this, I filed a bug in chromium, which then was dismissed as a “won’t fix”, with the chromium developers saying that the certificate list is “signed by Microsoft” and there would not be any break in the “chain of thrust”.

And now I see this message from google:

http://www.heise.de/security/meldung/Indien-stellte-falsche-Google-Zertifikate-aus-2252544.html

http://googleonlinesecurity.blogspot.de/2014/07/maintaining-digital-certificate-security.html

“On Wednesday, July 2, we became aware of unauthorized digital certificates for several Google domains. The certificates were issued by the National Informatics Centre (NIC) of India, which holds several intermediate CA certificates trusted by the Indian Controller of Certifying Authorities (India CCA).

The India CCA certificates are included in the Microsoft Root Store and thus are trusted by the vast majority of programs running on Windows, including Internet Explorer and Chrome. Firefox is not affected because it uses its own root store that doesn’t include these certificates.

We are not aware of any other root stores that include the India CCA certificates, thus Chrome on other operating systems, Chrome OS, Android, iOS and OS X are not affected. Additionally, Chrome on Windows would not have accepted the certificates for Google sites because of public-key pinning, although misissued certificates for other sites may exist.”

Update Jul 9: India CCA informed us of the results of their investigation on July 8. They reported that NIC’s issuance process was compromised and that only four certificates were misissued; the first on June 25. The four certificates provided included three for Google domains (one of which we were previously aware of) and one for Yahoo domains. However, we are also aware of misissued certificates not included in that set of four and can only conclude that the scope of the breach is unknown.”

Now microsoft has removed the certificates in question and it turnes out that the issue affected 45 domains:

http://www.heise.de/security/meldung/Microsoft-entzieht-Indischer-CA-das-Vertrauen-2255992.html

https://technet.microsoft.com/en-us/library/security/2982792

google.com
mail.google.com
gmail.com
www.gmail.com
m.gmail.com
smtp.gmail.com
pop.gmail.com
imap.gmail.com
googlemail.com
www.googlemail.com
smtp.googlemail.com
pop.googlemail.com
imap.googlemail.com
gstatic.com
ssl.gstatic.com
www.static.com
encrypted-tbn1.gstatic.com
encrypted-tbn2.gstatic.com
login.yahoo.com
mail.yahoo.com
mail.yahoo-inc.com
fb.member.yahoo.com
login.korea.yahoo.com
api.reg.yahoo.com
edit.yahoo.com
watchlist.yahoo.com
edit.india.yahoo.com
edit.korea.yahoo.com
edit.europe.yahoo.com
edit.singapore.yahoo.com
edit.tpe.yahoo.com
legalredirect.yahoo.com
me.yahoo.com
open.login.yahooapis.com
subscribe.yahoo.com
edit.secure.yahoo.com
edit.client.yahoo.com
bt.edit.client.yahoo.com
verizon.edit.client.yahoo.com
na.edit.client.yahoo.com
au.api.reg.yahoo.com
au.reg.yahoo.com
profile.yahoo.com
static.profile.yahoo.com
openid.yahoo.com

In view of this list, the advice from google looks especially funny:

“Chrome users do not need to take any action to be protected by the CRLSet updates. We have no indication of widespread abuse and we are not suggesting that people change passwords.”

The microsoft certificate list is used in the browser chrome. Faking of a google server is difficult, since chrome checks its certificate by different means and that was how the attack was revealed. But chrome does not have a similar check for yahoo. If that attack would not be working after all, the hackers would not have used it.

But still, google does explicitely not suggesting anyone that they should change passwords…

previous post: Pope Francis: ‘About 2%’ of Catholic clergy paedophiles

next post: How a password changed my life