2 Comments

Summary:

The incident, which was probably a case of the French finance ministry going overboard in its efforts to monitor employee activities, provides a timely reminder of how certificates are the weak point in online security.

French flag
photo: Flickr / fdecomite

Google appears to have caught the French finance ministry spying on its workers’ internet traffic by spoofing Google security certificates, judging from an episode that took place last week.

The web firm said in a blog post on Saturday that, on the preceding Tuesday, it had become aware of “unauthorized digital certificates for several Google domains.” It tracked the provenance of these certificates back to ANSSI, the French state information security agency, which in turn pointed to the Treasury as the culprit.

Browsers use such certificates to verify that a web service is what it says it is, and creating a fake certificate can allow an attacker to impersonate a service like Google, duping the user into handing over personal information. This is known as a man-in-the-middle attack – it’s been used by the NSA, and is probably that agency’s chief weapon in circumventing industry-standard TLS/SSL web encryption.

Certificates are issued by certificate authorities (CAs), which naturally need to demonstrate their trustworthiness. Highly trustworthy CAs are known as “root CAs” – ANSSI in this case – and there are also lower-grade “intermediate CAs” that are verified by root CAs so that the browser will accept their certificates.

Last week, Google spotted certificates purporting to belong to itself, but in reality issued to someone else by an intermediate CA. It immediately updated its Chrome browser to block that intermediate CA, then followed the chain of trust to identify the root CA, ANSSI. It informed ANSSI of what it had found, and also warned other browser vendors to block the intermediate CA.

What follows needs to be pieced together from Google and ANSSI’s respective statements. Google said ANSSI found the certificate had been used “in a commercial device, on a private network, to inspect encrypted traffic with the knowledge of the users on that network.” ANSSI said “human error… was made during a process aimed at strengthening the overall IT security of the French Ministry of Finance,” through which “digital certificates related to third-party domains which do not belong to the French administration have been signed by a certification authority of the DGTrésor (Treasury).”

If the French finance ministry was trying to strengthen its IT security, and that involved inspecting encrypted traffic with users’ knowledge, that suggests the Treasury was snooping on its own users’ internet usage – assuming that Treasury workers’ contracts state they may be monitored while surfing on Treasury networks.

Whatever the truth of the matter may be, ANSSI has now revoked the certification powers of the Treasury’s intermediate CA and is revising its overall certification processes “to make sure no incident of this kind will ever happen again.”

Google used the incident to push its campaign for certificate transparency, which would involve a new framework for auditing certificates in real-time. This would not be a bad thing: as this episode and others have demonstrated, certificates are the weak point in today’s online security set-up. If we can eliminate that flaw while extending encryption across the web, we will all be a lot more secure and much better protected against bulk surveillance.

  1. Endless spying in France and the US, yet another violation of our rights. The gov’t constantly violates our rights.
    They violate the 1st Amendment by caging protesters and banning books like “America Deceived II”.
    They violate the 4th and 5th Amendment by allowing TSA to grope you.
    They violate the entire Constitution by starting undeclared wars.
    Impeach Obama.
    Last link of “America Deceived II” before it is completely banned:

    Share
  2. Google name is so popular every one uses its name to make him popular… bit.ly/GoogleFame

    Share

Comments have been disabled for this post