News

China Accused of Doling Out Counterfeit Digital Certificates in ‘Serious’ Web Security Breach

Digital certificates are the passports of the internet. They tell browsers like Chrome and Internet Explorer that websites are authentic. When you go to your bank’s webpage, for example, it presents a certificate to your browser — a padlock icon appears at the left of the URL address, signifying the site is legitimate and encrypted and you’re not giving your username and password to, say, a Russian hacker.

But that sense of security assumes the certificate is valid.

Videos by VICE

In a development that may affect the free flow of information online, it appears China has been doling out counterfeit digital certificates.

In a March 23 blog post, Google said it had recently become aware of “unauthorized” certificates on several of the company’s domains, calling it a “serious breach.” Google said an Egyptian company called MCS Holdings issued the certificates as an intermediary for the China Internet Network Information Center, or CNNIC, a unit of China’s Ministry of Industry and Information Technology.

Google claimed MCS Holdings gave out false certificates that convinced browsers that fake websites were the real thing. The company didn’t specify which domains were affected, but someone could have logged onto what they thought was Gmail when really they were on a fake site.

Related: Booze, sex, and the dark art of dealmaking in China 

More nefariously, MCS Holdings used the counterfeit certificates to run so-called “man-in-the-middle” scams, Google claimed, meaning their fake certificates sent people to genuine websites but kept track of the activity on them.

James Andrew Lewis, a tech expert at the Center for Strategic & International Studies, told VICE News the scam was in line with other Chinese cyber-espionage operations. Last week, security experts said Chinese hackers relayed web traffic to overwhelm GitHub, a programmers’ site that hosts so-called “mirror” versions of the BBC, the New York Times, and other media banned in China.

“You have seen in the last year, just an endless number of measures to tighten control and maybe see if they can extend their control outside China’s boundaries,” Lewis told VICE News. “The idea of information as a battlefield for the Communist Party is one of the things that are driving them.”

After Google blocked MCS Holdings’ digital certificates on its Chrome browser, Mozilla’s Firefox and others quickly followed suit. Google said it didn’t find abuses and wouldn’t block other CNNIC certificates.

Related: Leaked detail about new Chinese aircraft carrier leaves bigger questions unanswered 

Adam Langley, a Google security engineer, suggested Beijing was culpable for working with the Egyptian company. “CNNIC still delegated their substantial authority to an organization that was not fit to hold it,” Langley wrote on the company’s Online Security Blog.

The post sent off alarms at the Committee to Protect Journalists. On Tuesday, Committee Staff Technologist Tom Lowenthal called on Google and other browser developers to reject Chinese certificates altogether.

“The trust placed in CNNIC to faithfully issue valid credentials was abused to attack users in colossal breach of the rules underpinning global Internet security,” Lowenthal wrote in a blog post. “CNNIC’s close ties to the Chinese government and military have always raised suspicion in the tech community about its trustworthiness.”

Given that less than 600 authorities issue digital certificates, Silicon Valley probably won’t heed Lowenthal’s advice, said Seth Schoen, senior staff technologist at the Electronic Frontier Foundation. The system of granting and authenticating certificates is like the Wild West, he said.

“We don’t really have a consensus or an understanding of how to respond to these situations, whether one of the certifying authorities is a victim of hacking or delegating it to someone who misuses it,” Schoen told VICE News.

Jason Healey, director of the Atlantic Council Cyber Statecraft Initiative, added that the US government probably wouldn’t take action, either. The National Security Agency has used counterfeit digital certificates to spy on Iran and probably others, he said. “How can the US come out and say ‘You can’t issue these fakes’ when they would be doing it clandestinely?” he said in an interview with VICE News.

Related: China wants to rid its universities of ‘Western values’ 

Healey hopes Apple, Google, Microsoft and the rest of the tech industry will figure out ways to stop fake certificates from circulating. Google is working on a fix called Certificate Transparency that would make certification more public.

The companies have an incentive to find safeguards, Healy added. If the world’s largest economy flooded the internet with counterfeit certificates, innovation would suffer. Nobody will be hooking up home burglar alarms to their smart phones or riding in driverless cars if they think someone might hack into those systems, he said.

“We are starting to mess with the fundamental stuff that makes the internet safe, stable and secure,” said Healy.

Follow John Dyer on Twitter: @johnjdyerjr

Image via Wikimedia Commons