Google revealed today that it has discovered several fake digital certificates for some of its domains.
That’s bad, because any browser accessing these domains via transport layer security (TLS; the latest security protocol, and a successor to SSL) counts on a certificate in order to be sure that it’s connecting with the real McCoy, not some imposter.
In other words, that little “lock” icon and the https:// prefix in the URL that tells you that you’re accessing a legit Google site? Your browser puts that icon there when it trusts that the site is the correct one, based on the certificate it receives.
But if a certificate has been faked — and a trusted certificate authority vouches for that fake certificate — all bets are off.
Google wrote in a blog post earlier today:
On Friday, March 20th, we became aware of unauthorized digital certificates for several Google domains. The certificates were issued by an intermediate certificate authority apparently held by a company called MCS Holdings. This intermediate certificate was issued by CNNIC.
MCS is based in Egypt. CNNIC is based in China.
The potential impact of these fake certificates could be quite broad:
CNNIC is included in all major root stores and so the misissued certificates would be trusted by almost all browsers and operating systems.
There are a few exceptions:
Chrome on Windows, OS X, and Linux, ChromeOS, and Firefox 33 and greater would have rejected these certificates because of public-key pinning, although misissued certificates for other sites likely exist.
Google says it promptly alerted the certificate authority, CNNIC, after discovering the fakes. MCS appears to have flouted protocol and installed replacement certificates in a highly nonsecure manner.
Google pulls no punches in its assessment of the situation, calling it “a serious breach of the CA [certificate authority] system” and blaming CNNIC for having “delegated their substantial authority to an organization that was not fit to hold it.”
Do you need to worry? Probably not. While Google did not say which domains were affected, it noted that it has fixed the problem, that Chrome users do not need to take any further action, and that it is considering whether further responses are necessary.
It’s not clear whether Firefox, Internet Explorer, or Opera users face any risk. Ars Technica noted that Mozilla will be revoking the intermediate certificate for MCS in the upcoming version of Firefox, version 37, which should take care of the risk for Firefox users, as long as they upgrade.
We’re contacting Google for clarification.
Update: The headline of this story was updated to clarify that Google discovered the fake digital certificates, not that the company’s security was impacted.