Microsoft has blacklisted a subordinate CA certificate that was wrongfully used to issue SSL certificates for several Google websites. The action will prevent those certificates from being used in Google website spoofing attacks against Internet Explorer users.
Microsoft’s move, taken on Tuesday, came after Google reported that the China Internet Network Information Center (CNNIC), a certificate authority (CA) trusted by most browsers and operating systems, issued an intermediate certificate to an Egyptian company called MCS Holdings. The company then used it to generate SSL certificates for Google-owned websites without authorization.
An intermediate certificate gives its holder the ability to issue SSL certificates for other domain names. In other words, CNNIC delegated its certificate authority powers to MCS Holdings, transforming the latter into a subordinate CA.
MCS Holdings installed the sub-CA certificate in a firewall device with SSL/TLS traffic inspection capabilities. Such devices act as man-in-the-middle (MITM) proxies and are used by some companies to enforce their IT security policies even when employees visit HTTPS websites.
The MCS Holdings appliance used the sub-CA certificate to issue certificates for several Google domain names, and possibly other sites, allowing it to analyze SSL/TLS encrypted traffic between the company’s employees and those websites.
The use of a widely trusted sub-CA certificate for such a purpose is dangerous, because if the firewall device is compromised and hackers steal the certificate, they can use it to launch website spoofing attacks against any user on the Internet.
If they want to perform MITM SSL interception on their networks, companies should use self-generated CA certificates instead and manually deploy them on all of their systems. If such certificates later get stolen, attackers would only be able to target the corresponding organizations, not users at large.
Google and Mozilla blacklisted the sub-CA certificate misused by MCS Holdings on Monday, so certificates it has signed are no longer trusted by Chrome and Firefox. Microsoft’s action Tuesday extended the blacklisting to Internet Explorer and any other software program that relies on the Windows root certificate store to validate certificates.
Mozilla, which maintains its own separate list of trusted root CA certificates, is now debating whether CNNIC should be punished for issuing the intermediate certificate in the first place, as the Chinese organization appears to have done so in violation of Mozilla’s policies.
In a discussion on the Mozilla Dev Security Policy mailing list, a representative of CNNIC said that the organization issued the intermediate certificate, which had a validity period of only two weeks, as a test, under an agreement that MCS Holdings will only use it to generate certificates for its own domain names.
However, regardless of whether MCS failed to respect that agreement, CNNIC does not appear to have fulfilled all requirements for subordinate CA certificates that are specified in Mozilla’s CA Certificate Inclusion Policy and the CA/Browser Forum’s Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates.
Both sets of guidelines require subordinate CA certificates to be either technically constrained, such that they can only be used to issue certificates for specific domain names, or be publicly disclosed and subjected to the same type of audits as root CA certificates.
The intermediate certificate issued by CNNIC met neither of those conditions, according to comments on the Mozilla mailing list. As such, discussion participants have proposed sanctions that range from completely removing CNNIC from the list of CAs trusted by Mozilla to restricting trust in CNNIC to .cn domains only.
An official decision has not yet been reached by Mozilla.
This is not the first case of subordinate CA certificates being misused. In 2013, a French national cybersecurity agency called ANSSI issued an intermediate certificate to the Treasury department of the French Ministry of Finance. That certificate was then used to issue certificates for Google domains without authorization. One year earlier, a certificate authority called Turktrust issued a certificate to the Municipality of Ankara that unintentionally had a sub-CA profile. That certificate was later installed in a firewall appliance and used for SSL traffic inspection on a local network.