|
|
Пишет LWN.net (![[info]](http://lj.rossia.org/img/syndicated.gif){kind=small} syn_lwnheadline)@ 2015-03-24 00:00:00 |
 |
|
 |
|
|
|
|
|
|
 |
|
 |
Google: Maintaining digital certificate security
It seems it was about time for another certificate authority horror story;
the Google Online Security Blog duly delivers.
"CNNIC responded on the 22nd to explain that they had contracted with
MCS Holdings on the basis that MCS would only issue certificates for
domains that they had registered. However, rather than keep the private key
in a suitable HSM, MCS installed it in a man-in-the-middle proxy. These
devices intercept secure connections by masquerading as the intended
destination and are sometimes used by companies to intercept their
employees’ secure traffic for monitoring or legal reasons. The employees’
computers normally have to be configured to trust a proxy for it to be able
to do this. However, in this case, the presumed proxy was given the full
authority of a public CA, which is a serious breach of the CA
system."
It seems it was about time for another certificate authority horror story;
the Google Online Security Blog duly delivers.
"CNNIC responded on the 22nd to explain that they had contracted with
MCS Holdings on the basis that MCS would only issue certificates for
domains that they had registered. However, rather than keep the private key
in a suitable HSM, MCS installed it in a man-in-the-middle proxy. These
devices intercept secure connections by masquerading as the intended
destination and are sometimes used by companies to intercept their
employees’ secure traffic for monitoring or legal reasons. The employees’
computers normally have to be configured to trust a proxy for it to be able
to do this. However, in this case, the presumed proxy was given the full
authority of a public CA, which is a serious breach of the CA
system."
