Google revealed yet another big breach in security and privacy when it uncovered fake digital certificates for its own domains, issued by an intermediate certificate authority linking back to the ANSSI (Agence nationale de la sécurité des systèmes d’information), last Saturday.
The French cyber-defense unit was quick to release a statement to show it took the matter seriously and flagged this incident as a “human error”:
What exactly is at stake here?
In order to keep our data private and secure, the majority of web services go through HTTPS (as opposed to plain HTTP) by using SSL, a cryptographic system that wraps the traffic packets transmitted with a secure key.
Unfortunately the SSL certificate system has several flaws that can be exploited, and spoofing legitimate websites with fake digital certificates is one of them.
This situation can allow what we call a man-in-the-middle attack (MitM) where the victim thinks he is talking directly to his interlocutor (i.e. Google) but actually isn’t.
Not only can an attacker eavesdrop on your communications, but it can also manipulate the content you get back.
Does it sound like you’ve heard this before? Yes, in fact not so long ago the NSA and GCHQ (British Intelligence) were exposed in one of Snowden’s leaks for doing MitM attacks against Brazil. There are also some strong allegations against the NSA for the Diginotar (Certificate Authority) hack.
The 2014-2019 defense bill
“La Quadrature du Net” reports that France is trying to pass a law towards generalised Internet surveillance.
“It marks a strong shift towards total online surveillance. If passed, the bill will not only allow live monitoring of everyone’s personal and private data but also do so without judicial oversight, as the surveillance will be enabled through administrative request. The bill also turns permanent measures that were only temporary.”
This move comes at the most awkward of times when major Internet companies in the U.S. are writing an open letter the U.S. government to urge for a change on bulk data collection.
This concerted and highly publicized effort is certainly going to put pressure on the government, but also indirectly gives some credit to the Snowden leaks.
However, industry giants like Facebook or Google do have a very keen interest in addressing privacy issues as their revenues directly depend upon how much individuals are willing to share about themselves which in turn fuels targeted advertising.
At the end of the day, the threat landscape looks quite different now that we know what is going on.
On top of worrying about cyber-criminals, you should be aware that everything you do online is recorded whether it is by government agencies or big corporations where you are the product.
These are very strange times indeed. In a somewhat unexpected statement last week, Microsoft compared the NSA to an APT (Advanced Persistent Threat).
And now the French government is going against the tide trying to allow authorities unfettered access to user data without judicial approval. Go and try to figure this one out…
Jerome Segura (@jeromesegura) is a senior security researcher at Malwarebytes.