When we’ve discussed SSL / TLS previously, we’ve focused on vulnerabilities in specific implementations, problems with how it’s deployed by service providers, or the growing incidence of SSL certificate theft, but a recent issue has highlighted one of the major problems with the SSL / TLS system itself, and it’s one that could allow online criminals to attack encrypted connections without ever having to steal a certificate. It’s nothing to do with the cryptographic technology itself, but rather how identity verification is handled by the certificate authority system.
Last month, Google, Microsoft and others were forced to issue warnings that certificates had been issued for domains under their control by a third party, which could potentially be used for man-in-the-middle attacks rendering the contents of any communication between browser and server open to scrutiny by the attacker.
The certificates were signed with the root certificate of Chinese certificate authority CNNIC, which had contracted with an Egyptian company called MCS Holdings, on the understanding that the company would only issue certificates for domains that it had registered. In fact, MCS Holdings issued certificates for Google and Microsoft domains, which they apparently installed in a MITM proxy.
In order for the SSL / TLS identity verification system to scale, browsers implicitly trust the root certificates of certificate authorities. Anyone can issue an SSL certificate — you can do on your laptop right now with free software — but browsers only trust certificates that have been signed by a trusted certificate authority’s root certificate or a certificate derived from the root.
Browsers have no way of knowing (except in limited cases with certificate pinning) which CA has the legitimate authority to issue certificates for a particular domain. There are hundreds of CAs and any of them can issue a cert for any domain and browsers will trust it.
By delegating the use of their root certificate to a less-than-trustworthy company, CNNIC allowed it to create certificates for any domain in existence that would then be trusted by browsers.
There is no clear solution to this gaping hole in the SSL / TLS armour. It appears that Google have done the only thing they can do and revoked trust in CNNIC certificates, but that’s not a scalable response. Thousands of legitimate businesses have certificates issued by that CA, and, unless Google whitelists them all, browsers will no longer trust their SSL certificates. Removing browser trust does give CAs a strong incentive not to misuse their authority — it essentially destroys their business as a CA — but there is likely to be a lot of collateral damage.
Google has an alternative solution in the form of Certificate Transparency which it hopes will “eliminate these flaws by providing an open framework for monitoring and auditing SSL certificates in nearly real time,” but that’s likely to take some time to gain widespread acceptance and adoption. In the meantime, web users just have to hope that certificate authorities value their businesses enough to toe the line.