On Friday, Google reported on its online security blog the faulty issuance of a certificate for google.com and www.google.com by Symantec, a prominent Certificate Authority. This misissuance is significant not only because it represents a breach in the core Internet trust mechanism; it was also the first of its kind with regards to the type of certificate issued (Extended Validation) as well as the mechanism by which the certificate was discovered (Certificate Transparency).
A Quick Primer on Certificates and PKI
Certificate Authorities (CAs) are trusted notaries which underpin the main transport security model of the Web and other Internet services. When you visit an HTTPS site, your browser's trust that you are communicating with the site you requested is ultimately anchored by the trust placed in a CA. For a certificate generated by a site operator to be valid in the browser, it must be signed by a CA. There are hundreds or thousands of CAs, depending on how you count. In general, any CA can sign a certificate for any site. The fundamental duty of the CA is to verify certificate requests submitted to it, and sign only those that it can verify as legitimate.
Most of the time, that legitimacy is established by verifying that the person actually asking for the signature is someone who controls the domain. This type of verification is called, in CA parlance, Domain Validation (DV). Since anyone can register a domain name, some organizations also want to provide extra assurance to the public that their services are operated by a particular legal entity. This may be useful, for instance, to mitigate the risk posed by phishing sites, which mimic other sites to trick users into entering sensitive information like passwords. In this case, a CA can issue an Extended Validation (EV) certificate, which vouches that the CA has done extra work, not only to verify control of the domain, but also to verify the legal name and location of the organization listed in the certificate. Browsers display this extra level of verification to the user with a green bar next to the site URL, containing the name of the organization.
This ecosystem of trust is called the Public Key Infrastructure (PKI), and relies on the CAs to follow stringent guidelines of behavior to ensure the system works properly.
Certificate Misissuance and Mitigation
This isn't the first time certificates for Google have been misissued. In 2011, the Dutch CA DigiNotar issued a wildcard cert for Google, which was then used as part of a Man-in-the-Middle attack on Iranians using Google services. Such attacks can be used to steal login credentials or sensitive information, monitor the activities of users, and impersonate them. When that happens, revoking the forged certificates and addressing the cause of the forgery is the appropriate response. Additionally, as a result of DigiNotar's failure, the major operating systems and browsers removed DigiNotar's root certificate from their trust stores, and the CA went bankrupt.
Although mechanisms already existed to revoke certificates quickly at the time of the attack, this instance as well as others prompted browsers and CAs to question the effectiveness of revocation without a mechanism to quickly detect when a forged certificate is being used.
Enter Certificate Transparency (CT). CT helps with the detection problem by establishing a set of append-only public logs of certificates that anyone can audit. Certificate authorities that participate in CT are expected to submit each issued certificate to at least two CT logs. Individuals are also free to submit observed certificates to public logs. Logs can be independently monitored to alert site owners when a new certificate for their site is entered in the log. This alerting will help a site owner quickly detect certain types of misissuance and get any misissued certificates revoked. In Chrome, CT is required for all new EV certificates.
So what exactly happened?
As noted in the blog post, Symantec issued the certificate "during a Symantec-internal testing process." There is no indication of malicious intent with the certificate, which was only valid for a period of one day. All indications show that Symantec responded to the situation quickly, cooperating with Google to fix the problem. However, the severity of this misissuance should not be understated. Under normal circumstances, issuing a certificate without due diligence is a fundamental breach of trust. But the level of trust accorded EV certs like the one Symantec misissued makes this breach even more serious. To make matters worse, Symantec was performing tests using domains that it does not normally issue certificates for. Google's certificates are generally signed by an intermediate CA which chains to GeoTrust. There should be a clear separation between testing mechanisms and the actual signing process, but in this case it is clear that necessary mechanisms for care in handing certificate signing were not in place. Nevertheless, the scale of this misissuance seems not nearly to approach that of other breaches.
Also noted in the blog post is that this certificate was discovered via a CT log. This is exciting news! It is the first reported time CT has successfully detected a misissued certificate. In the future, we hope to see more users protected by CT and its adoption across the web.
Edit 9/21: changed wording of final paragraph to more accurately describe certificate detection