Microsoft and Google have publicly warned of several unauthorised fake HTTPS certificates discovered in many of their domains, which can be used to track down traffic, spoof content and in phishing scams.
The fake HTTPS certificates were issued by China-based CNNIC which is owned by MCS Holdings (based in Egypt), said Google engineer Adam Langley. Google is pretty upset as MCS Holdings has issued fake SSL certificates for a few Google-owned websites.
Google wrote in a blog post,
On Friday, March 20th, we became aware of unauthorized digital certificates for several Google domains. The certificates were issued by an intermediate certificate authority apparently held by a company called MCS Holdings. This intermediate certificate was issued by CNNIC.
Langley wrote a blog post saying, “CNNIC is included in all major root stores and so the mis-issued certificates would be trusted by almost all browsers and operating systems.”
Should you be worried?
Unfortunately, All versions of Microsoft’s Windows are under threat, unless users are subscribed to the company’s automatic update service. Microsoft saif that it has the Certificate Trust List for all supported versions of Windows has been fully updated.
According to Microsoft, if you are running Windows 2003 version or didn’t choose to install the the automatic updater of revoked certificates, you can still check for updates via Windows Update service and the 2917500 security update be applied immediately using update management software.
On the other hand, Mozzilla and Google have yet to release updated for their Firefox and Chrome browsers.
Why is this a big problem?
Any browser that attempts to access these fake HTTPs domains through a TLS (transport layer security) protocol will face security threats and will be vulnerable to phishing scams as browsers rely on such certificates to be sure that it is connecting to a trusted and a secure domain.
Simply put, the “lock” icon and the https:// prefix in the URL ensures your login into a safe, legitimate website. Based on the certificate your browser receives, it will display this icon. Therefore, if it connects to a fake HTTPS certificate, your privacy is under major threats.
On the other hand, Langley stated that Chrome on Windows, OS X, and Linux, ChromeOS, and Firefox 33 and up, will reject these certificates because of the public-key pinning. Public-key pinning is a security feature developed by Google tech team to improve the security of HTTPS to enable online services to distinguish between valid certificates and fake HTTPs certificates. It will automatically reject the ones that have not come from known authorities.
Fake HTTPs Google certificates are the latest of many security problems concerning secure sockets layer/transport layer security (SSL/TLS) encryption system designed to secure HTTPS connections.
Microsoft had previously warned earlier this month that an SSL certificate for the domain live.fi had been “improperly issued” and it’s possible that it might be used to spoof content and carry out phishing threats.
While Apple managed to fix a serious SSL flaw in iOS and Mac OS last year.However, Apple has been experiencing other SSL flaws ever since, such as: Heartbleed, Poodle, Superfish, PrivDog and the notorious Freak.
“However, rather than keep the private key in a suitable HSM (hardware security module), MCS installed it in a man-in-the-middle proxy,” said Langley.
“These devices intercept secure connections by masquerading as the intended destination and are sometimes used by companies to intercept their employees’ secure traffic for monitoring or legal reasons,” he continued.
Google informed CNNIC and others about this dangerous issue, and CNNIC stated that according to their contract with MCS Holdings, MCS is responsible for issuing domain certificates for registered domains only.
It is advisable not to take any further action, unless recommended by your service. The companies’ security hasn’t been sabotaged by any means.
