Google has disclosed the discovery of multiple “unauthorized digital certificates for several Google domains” this weekend that were endorsed by the Certificate Authority (CA) of the French Treasury, whose own certificates had been endorsed by the Public Service Infrastructure Trust Management.
An improperly issued certificate for an unqualified domain could allow an attacker to conduct exploits accompanied by what appear to be validly signed and authenticated certificates. in this case a Man-in-the-Middle (MiTM) attack that would undermine the SSL encryption of the data transfer.
Google said in a statement that “we investigated immediately and found the certificate was issued by an intermediate certificate authority (CA) linking back to ANSSI, a French certificate authority. Intermediate CA certificates carry the full authority of the CA, so anyone who has one can use it to create a certificate for any website they wish to impersonate.”
“In response, we updated Chrome’s certificate revocation metadata immediately to block that intermediate CA, and then alerted ANSSI and other browser vendors. Our actions addressed the immediate problem for our users,” Google continued.
Google further said that ANSSI acknowledged the intermediate CA certificate was employed by an unspecified commercial device on a private network to “inspect encrypted traffic with the knowledge of the users on that network,” which was a violation of protocol, leading them to request that the certificate be revoked.
“This incident represents a serious breach and demonstrates why Certificate Transparency, which we developed in 2011 and have been advocating for since, is so critical. Since our priority is the security and privacy of our users, we are carefully considering what additional actions may be necessary,” Google said.
Categories: Top Security Stories