Security Google warns of unauthorized TLS certificates trusted by almost all OSes

[J65nko]

From http://arstechnica.com/security/2015...most-all-oses/

Quote:

In the latest security lapse involving the Internet's widely used encryption system, Google said unauthorized digital certificates have been issued for several of its domains and warned misissued credentials may be impersonating other unnamed sites as well.

The bogus transport layer security certificates are trusted by all major operating systems and browsers, although a fall-back mechanism known as public key pinning prevented the Chrome and Firefox browsers from accepting those that vouched for the authenticity of Google properties, Google security engineer Adam Langley wrote in a blog post published Monday. The certificates were issued by Egypt-based MCS Holdings, an intermediate certificate authority that operates under the China Internet Network Information Center (CNNIC). The Chinese domain registrar and certificate authority, in turn, is included in root stores for virtually all OSes and browsers.

The issuance of the unauthorized certificates represents a major breach of rules established by certificate authorities and browser makers. Under no conditions are CAs allowed to issue certificates for domains other than those legitimately held by the customer requesting the credential. In early 2012, critics blasted US-based CA Trustwave for doing much the same thing, and Langley noted an example of a France-based CA that has also run afoul of the policy.

[Oko]

Quote:

Originally Posted by J65nko

From http://arstechnica.com/security/2015...most-all-oses/

This is a good news for U.S. business and a bad news for people who want to buy cheap certificates. Recently we purchased few certificates ($15) from GoDaddy for one of our small projects. The certificates were rejected by all browsers. Next step for us is Verisign and spending few hundred dollars for a certificate. I expect to see more and more of such things.

[gpatrick]

Have you thought of using CAcert.org? Of course those may also be rejected, but if not, they're free.

[scottro]

There's also https://www.ssls.com/ for very cheap ones. No idea if they usually get rejected or not though.

If rejected, they're still less than $10.00 USD.

[J65nko]

There are also Extended Validation Certificates.

Because the CA is supposed to do a more extensive background check, these are more expensive. Don't know if they have a higher acceptance rate . In the browser address bar, the URL mentioned by scottro shows a green lock and the name of the legal company (Namecheap Inc, US) running that website.