The National Security Agency isn’t the only government entity that goes to extreme measures to spy on people. Google caught the ANSSI, the French State Information Security Agency, using faked security certificates to trick people into thinking they were on Google’s websites. The ANSSI was quick to point to the treasury department as the real culprit.
Fake SSL certificates — the stuff that ensures you are securely connected to the proper entity over an HTTPS connection — are a real security risk. By creating a fake certificate a hacker can impersonate a service, in this case Google, and trick the end user into handing over personal information. Essentially this type of attack on users is known as the “middle-man-attack” and it has been used by security agencies before; the NSA is famous for doing this. Root CA, the highest level authority when it comes to issuing and verifying SSL certificates, are highly trustworthy sources that then verify “intermediate CAs.” The ANSSI used intermediate CAs to do its bidding.
A week ago, Google was alerted to the use of a fake intermediate CA. With an update to Chrome the intermediate CA was blocked and they began tracing back where it came from. This lead Google to the ANSSI.
According to a statement from Google, the ANSSI found the certificate had been used “in a commercial device, on a private network, to inspect encrypted traffic with the knowledge of the users on that network.” Essentially what (allegedly) was going on is the French treasury wanted to monitor its employees’ online activity and had the ANSSI spoof SSL certificates with Google’s name to do so. Employees thought they were connecting to Google websites when, in fact, they weren’t.
A statement from ANSSI called the use of the certificate “human error.” The statement went on to say that the error “was made during a process aimed at strengthening the overall IT security of the French Ministry of Finance,” through which “digital certificates related to third-party domains which do not belong to the French administration have been signed by a certification authority of the DGTrésor (Treasury).”
The ANSSI has revoked the Treasury’s fake Google intermediate CA and is moving to make changes that will keep this from happening again. Google is using the incident to call for certificate transparency, a move that would require certificates to be audited in real-time. Let’s see what happens.