Thursday, January 03, 2013

Don't mess with the Google

As a hacker, should you succeed in obtaining a signing certificate (allowing you to perform MitM attacks, for example), whatever you do, don't attack *.google.com.

That's the message in this Google blogpost about the TURKTRUST incident, which says:
Late on December 24, Chrome detected and blocked an unauthorized digital certificate for the "*.google.com" domain
What that implies is that Chrome acts as 100 million sensors on the Internet looking for *.google.com MitM attacks. If you are a government wanting to spy on your citizens, as soon as you insert a fraudulent signing certificate into your BlueCoat monitor, one of your citizens using Google  Chrome is going to notify the mother ship.

This is a good thing. Microsoft (with IE) and Firefox should get into the act. They should likewise monitor other likely monitoring targets, like Facebook and Twitter. If the major browsers triggered whenever the certificate for the major websites changed, this would severely restrict the ability of governments to monitor their citizens.

It appears that Firefox, Microsoft, and Chrome are not completely detrusting TURKTRUST. This is wrong. MitM should be an automatic fail for a CA. Remember that the root of the CA system is not the CAs themselves, but the browser vendors. The browser vendors should have a published list of rules that will get a CA detrusted, and MitM should be one of them.


1 comment:

Note: Only a member of this blog may post a comment.