The Inquirer-Home

Google smacks down dodgy French digital certificates

Zut e-flaws
Mon Dec 09 2013, 12:32

INTERNET SEARCH AND ADVERTISING FIRM Google has caught the French government doing an impression of it and signing digital security certificates.

It was just a mistake, according to a statement from the French government.

"As a result of a human error which was made during a process aimed at strengthening the overall IT security of the French Ministry of Finance, digital certificates related to third-party domains which do not belong to the French administration have been signed by a certification authority of the DGTrésor (Treasury) which is attached to the IGC/A," said a statement from the French state information security agency.

"The mistake has had no consequences on the overall network security, either for the French administration or the general public. The aforementioned branch of the IGC/A has been revoked preventively."

Google said that it became aware of the dodgy certificates on 3 December and immediately began to trace them back.

"[We] found the certificate was issued by an intermediate certificate authority (CA) linking back to ANSSI, a French certificate authority. Intermediate CA certificates carry the full authority of the CA, so anyone who has one can use it to create a certificate for any website they wish to impersonate," it said in a blog post.

"In response, we updated Chrome's certificate revocation metadata immediately to block that intermediate CA, and then alerted ANSSI and other browser vendors. Our actions addressed the immediate problem for our users."

While the French authority said that this was down to a system security upgrade, Google said that perhaps there was some snooping going on. It said that it could not stand by with this sort of thing happening, and revoked the certificates immediately.

"ANSSI has found that the intermediate CA certificate was used in a commercial device, on a private network, to inspect encrypted traffic with the knowledge of the users on that network. This was a violation of their procedures and they have asked for the certificate in question to be revoked by browsers. We updated Chrome's revocation metadata again to implement this," it added

"This incident represents a serious breach and demonstrates why Certificate Transparency, which we developed in 2011 and have been advocating for since, is so critical. Since our priority is the security and privacy of our users, we are carefully considering what additional actions may be necessary." µ


Share this:

blog comments powered by Disqus
Subscribe to INQ newsletters

Sign up for INQbot – a weekly roundup of the best from the INQ

INQ Poll

Heartbleed bug discovered in OpenSSL

Have you reacted to Heartbleed?