#diginotar hack. Another *.google.com certificate mis-issued.

Update:

Google has responded to the incident with a must-read post to the Google Online Security Blog. I would still like to see them post security notices near logins, especially when they detect a vulnerable browser version, but this acknowledgement of the issue is a strong start for Google.


I wont say much on this hack, because well, its pretty much the same as my reporting on comodogate.

This morning it was reported that a trusted certificate authority mis-issued a certificate for *.google.com. This event re-opens the SSL trust system debate once again and set off a fire-storm of tweets within the SSL security community.

Today's must follow @dakami @caparsons @moxie__ @csoghoian @ioerror @rmhrisk @mashray @naskooskov @mikkohypponen and @ivanristic

The discussion is heated, with a lot of disagreement as to what the acceptable level of disclosure is in such a scenario.

Firefox is the first-mover with a swift digital death penalty for the offending ca see http://blog.mozilla.com/security/2011/08/29/fraudulent-google-com-certificate/

This in my mind is extreme, but given the nature of the CA and the size of the offence and the number of relying parties, it makes perfect sense that they would kill the CA. The bigger question raised is what is the responsibility of the web-site-operator when their sites are shown to be vulnerable to SSL man-in-the-middle.

I've written critically about Google's handling of #comodogate, because as an organization they espouse principles like "do no evil" and they have sufficient talent to fully understand the scope of the problem and because they have still failed to inform customers of the seriousness of the comodogate incident.

Today, again brings another *.google.com certificate and puts Google's 'do no evil' policy on trial again. Lets hope they dont make the same mistakes. From my perspective, Google sells their users on the security of SSL with claims like:

"In your Gmail settings, select 'Always use HTTPS.' This setting protects your information from being stolen when you're signing in to Gmail on a public wireless network, like at a cafe or hotel. Read more."

But then, do they not conversely have an obligation to say when that protection is at risk? In my opinion, they should have a security notices link with the same prominence as their privacy policy links.

The interesting story of the day however may be that the Chrome browser may have gotten its very first test of real-world certificate pinning. Chrome Version 13 and better offers certificate pinning functionality for "most google properties" (see: http://www.imperialviolet.org/2011/05/04/pinning.html ) which may mean that this hack would have epically failed against Chrome users. I'd say there should be some champaign popping in the Chrome offices today.

However, that said, when people visit google's secure properties in insecure browsers, should they not get a notification and warning? Shouldn't Chrome < v 13 users get a prominent upgrade notice? Not notifying people, given that the hack is apparently targeting Iranian ISPs with an active MITM attack, may actually put lives in danger where the intercepted communication is for the purpose of cracking dissident email accounts. (Which contrary to some, I do not consider a Godwin argument in the Iranian context, but rather an operational reality of Google's services there.)

You would think notifications and warnings would be just common sense, but there seems to be a lot of push-back from major site operators, with some suggesting that this might be an 'extreme' response. I believe that operators have an ethical obligation to notify the affected relying parties when the the security of their communications is at risk.

As for what I'm doing about SSL security, well, first, I've advocated a SSL CA for Canada, and that in the long-term that existing *.ca cert-issuing CA's be transitioned (as CIRA Certified Sub-CA's) to a national CA operated by CIRA. Then the browser makers could pin .CA to the CIRA CA root, and we'd never have to worry about SSL certificate trust for a dot-ca website again. I'll do my best to make this a reality of elected ( https://www.kevinforcira.ca ) in September.

In the mean time, we'll see how Google responds.