Google catches India with fake certificates
As the world becomes more dependent, and some might say blindly so, on digital certificates it’s only natural that attackers will seek to circumvent this trust. Whether because the Indian government was complicit or a victim of hacking in the issuance of certificates that impersonated Google, the result is the same – individuals, businesses, and even many governments placed blind trust in digital certificates and as such we’re all the victims.
Right now, every enterprise should be using certificate whitelisting to make sure the Indian Controller of Certifying Authorities are no longer trusted.
We’ve trained operating systems, mobile devices, and even people to blindly trust digital certificates. In the hands of those that want to circumvent the authenticity and privacy that certificates provide, malicious certificates become a powerful weapon. Time and time again we see security controls that are blindly trusted now being used to perpetrate crime.
For the last year, McAfee has found the use of digital certificate to enable malicious software has grown at least 50% quarter over quarter. And for business this is a serious problem: in a small study, Facebook found over 6,000 forged digital certificates purporting to be for the real Facebook.
With attackers able to spoof legitimate services and decrypt private communications, the impact on customer privacy, brand reputation, and protection of intellectual property can’t be calculated. Not surprising then, Gartner expects 50% of all network attacks to use SSL – something that’s blindly trusted today – by 2017.
The use of malicious certificates in India to impersonate Google is a serious and alarming threat for everyone. If we can’t establish trust online, then we’re back to 1993 when you couldn’t run a supply chain, bank over the Internet, or shop online. And even more alarming is what if attackers were compromising certificates used for payment systems, banks, or even e-enabled aircraft from Boeing and Airbus.
What we take for granted could all be threatened because we placed blind trust in digital certificates. Economies could go in to recession and even people could be killed. This is no longer a hypothetical threat – the use of malicious certificates in India against Google and its customers is just one more example of how serious this problem is.
The use of malicious certificates is another wake-up call for businesses and governments to take action. They can’t trust 3rd party Certificate Authorities (CAs) that their organization has now reason to be trusting. But, browsers, operating systems, enterprise applications, and mobile devices do. Certificate whitelisting makes sure that only those CAs that should be trusted are trusted – all other CAs are removed. Right now, every enterprise should be using certificate whitelisting to make sure the Indian Controller of Certifying Authorities are no longer trusted. Beyond this, enterprises need to be able to respond quickly and remediate.
Next time it may be certificates that are issued from a now untrusted CA (as is clearly the case with the Indian CA) or some of their certificates have been compromised and now being missed. These Next Generation Trust Protection systems protect keys and certificates so so cybercriminals can’t misuse. And, in the event there is a security incident, like Heartbleed where keys and certificates must be replaced quickly, organizations can respond in minutes not days or weeks.