Symantec, Google and the SSL Monkey

Some education first

PKI or Public Key Infrastructure is a technology that allows website visitors to trust SSL certificates presented by SSL encrypted websites. An example is when you visit your Internet Banking website – you can verify the authenticity of the site by checking the SSL Certificate of the site ( ie. clicking on the padlock ) – but that certificate is underpinned/backed by a CA or Certificate Authority and you are trusting that the CA has correctly issued the website’s SSL Certificate.

CAs ( issuers of SSL certificates ) have possibly the most important role to play in an ecosystem based purely on trust. If a CA does something to break that trust, then the entire secure website solution that we rely on daily for critical functions, is put in jeopardy.

Our browsers are the conduit through which CAs are “allowed” to exist – browsers contain the CAs’  root certificates through which all SSL certificates are issued and validated. If a CA does not have a root certificate present in a particular browser, then that browser will not implicitly trust sites issued with certificates backed by the CA, and the user visiting that site will be presented with errors. The user could ignore the errors and continue, but they would have no way of validating the authenticity of the site.

Considering that typosquatting ( website addresses with  purposefully incorrect names ) is a serious security issue, it makes no sense to ignore certificate errors. Here is an example:

I want to go to my internet banking so I type www.standerdbank.co.za ( by mistake instead of www.standardbank.co.za ). I don’t realise the problem and end up at a site that looks exactly like I expect; however this is not the correct site and I could potentially be entering my internet banking login details in an unrelated and malicious site. Once the credentials are captured, the false website redirects me back to the real site so that I don’t suspect a problem. The “attackers” now have my login credentials and can act as they want.

SSL certificates will solve the above issue ( as long as we trust the CAs ) by showing an invalid or unrelated certificate for the false site.

History of abuse

With this ( somewhat simplified ) background, we can now understand the issues surrounding CAs that act badly with respect to the issuing of certificates. And there have been more than a few instances of bad behaviour on the part of CAs.

  1. DigiNotar was a Dutch certificate authority owned by VASCO Data Security International, Inc. On September 3, 2011, after it had become clear that a security breach had resulted in the fraudulent issuing of certificates, the Dutch government took over operational management of DigiNotar’s systems. That same month, the company was declared bankrupt.  An investigation into the hacking by Dutch-government appointed Fox-IT consultancy identified 300,000 Iranian Gmail users as the main target of the hack (targeted subsequently using man-in-the-middle attacks), and suspected that the Iranian government was behind the hack.
  2. According to documents released by Mozilla Corporation, Qihoo appears to have acquired a controlling interest in the previously Israeli-run Certificate Authority “StartCom”, through a chain of acquisitions, including the chinese-owned company WoSign. WoSign also has a CA business; WoSign has been accused of poor control and mis-issuing certificates. Furthermore, Mozilla alleges that WoSign and StartCom are in violation of their obligations as Certificate Authorities in respect of their failure to disclose the change in ownership of StartCom; Mozilla is threatening to take action, to protect their users.
  3. In 2015, Symantec’s Thawte CA mis-issued an EV ( Extended Validation –  the highest trusted certificate type ) for the domains google.com and www.google.com. These were just test certificates but if let out into the wild, anyone could have posed as Google.
  4. In June 2011, StartCom suffered a network breach which resulted in StartCom suspending issuance of digital certificates and related services for several weeks. The attacker was unable to use this to issue certificates (and StartCom was the only breached provider, of six, where the attacker was blocked from doing so). StartCom was acquired in secrecy by WoSign Limited (Shenzen, China), through multiple companies, which was revealed by the Mozilla investigation related to the root certificate removal of WoSign and StartCom in 2016.

And now for some current news

As recently as last year, Google ( and now Mozilla – the 2 browsers with biggest market share ) has found wrongdoing on the part of Symantec and many of its subsidiary CAs. Symantec owns 2 of the most popular brands in SSL certificates – Verisign and Thawte – so this is a considerable issue. As of March this year, Google has laid out a plan to gradually distrust SSL Certificates issued by Symantec and any of its subsidiary CAs, and push for their replacement.

“As captured in Chrome’s Root Certificate Policy, root certificate authorities are expected to perform a number of critical functions commensurate with the trust granted to them. This includes properly ensuring that domain control validation is performed for server certificates, to audit logs frequently for evidence of unauthorized issuance, and to protect their infrastructure in order to minimize the ability for the issuance of fraudulent certs.”

“On the basis of the details publicly provided by Symantec, we do not believe that they have properly upheld these principles, and as such, have created significant risk for Google Chrome users. Symantec allowed at least four parties access to their infrastructure in a way to cause certificate issuance, did not sufficiently oversee these capabilities as required and expected, and when presented with evidence of these organizations’ failure to abide to the appropriate standard of care, failed to disclose such information in a timely manner or to identify the significance of the issues reported to them.”

As you can imagine, if CAs mis-issue certificates, this breaks the fundamental trust required for using secure encrypted websites.

I very seldom mention my affiliated businesses in my blog however, in this case it’s important to mention that the primary upstream provider for SSL Certificates for my internet service business, eMailStor, has as of February this year, stopped distributing certificates from Symantec, Verisign, Thawte, GeoTrust and RapidSSL. This gives you an idea of how serious the problem of certificate mis-issuance is.

For end-users, it’s a matter of checking the certificate presented by a site to ensure that it’s valid. If there is a matter of mis-issuance, then most CAs have an insurance facility which may cover losses.

Website operators have a little more work to do – as follows:

  • make sure all critical internet services use SSL Certificates
  • have a complete SSL Certificate generation policy in place, along with all required documentation and procedures
  • do not pin certificates to one CA
  • do not assume that popular CAs are by nature and reputation secure
  • continually review the performance of your CAs
  • follow the instructions of CAs to the letter for installation

SSL Certificates, and their issuers, play a critical part in making sure that websites can be authenticated, and that users can transfer information with websites in a secure manner. Browser makers also play a part in making sure that CAs toe the line and work together to build an infrastructure that can be trusted.