Companies like Apple, Google, Mozilla and Microsoft may compete against each other in the OS and browser markets, but when it comes to security issues, they tend to act in concert. Flaws in common standards,like OpenSSL, are typically patched by all parties in short order to ensure that users remain secure. It’s a little surprising to see Apple and Microsoft breaking with Google and Mozilla regarding recently disclosed security flaws with the Certificate Authority CNNIC.
To review: A few weeks ago, security researchers discovered that the Chinese Internet Network Information Center (CNNIC) had improperly handed over authority to an intermediate certificate issuer and allowed that company, MCS Holdings, to issue certificates for Google-owned domains. That’s a fundamental breach of how the Certificate Authority system is supposed to work, and it opened up the possibility of man-in-the-middle (MITM) attacks. Google and Mozilla both contacted CNNIC, and reported the following:
“CNNIC responded on the 22nd to explain that they had contracted with MCS Holdings on the basis that MCS would only issue certificates for domains that they had registered. However, rather than keep the private key in a suitable HSM [Hardware Security Module], MCS installed it in a man-in-the-middle proxy. These devices intercept secure connections by masquerading as the intended destination and are sometimes used by companies to intercept their employees’ secure traffic for monitoring or legal reasons.”
As a result, Google and Mozilla both decided to remove trust for any certificate issued by CNNIC. This means that any time a browser encounters a certificate signed by that authority, it will react as though the certificate is untrustworthy. (Whether these prompts actually improve security is a matter of some debate.) Mozilla declared the CNNIC’s actions to be an “egregious violation” of the Foundation’s trust policies.
Apple and Microsoft, however, have chosen to react differently, and pursued what might be called the middle road. Microsoft released a security update that invalidated certificates issued by MCS Holdings, but declined to take action against CNNIC. Apple’s list of trusted certificates, available here, continues to show CNNIC as a trusted source, despite strong action from Google and Mozilla. It’s not clear if Apple ever trusted MCS Holding, as an archive.org page from January 6 does not show the firm as listed on Apple’s trusted certificate page.
CNNIC slammed Google and Mozilla’s decision to delist it as “unacceptable and unintelligible,” but it’s not clear why two major firms would take this step while two others refuse to comment on the situation. Whether this reflects previous understandings with the Chinese government or a fundamentally different approach to device security is unclear at this time. In theory, blocking the MCS Holdings certificates (as MS has done) should prevent the exploit from being used in the wild — it’s possible that the four firms simply disagreed on how to treat the situation. This could create oddities with certain system configurations, in which some browsers throw security errors while others don’t.
No comments:
Post a Comment