France’s cyberdefence division, Agence nationale de la sécurité des systèmes d’information (ANSSI), has been detected creating unauthorised digital certificates for several Google domains.
“Intermediate CA certificates carry the full authority of the CA, so anyone who has one can use it to create a certificate for any website they wish to impersonate,” Google wrote.
In a statement by ANSSI, the cyberdefence organisation revealed that this intermediate CA is actually its own infrastructure management trust administration, or “L’infrastructure de gestion de la confiance de l’administration” (IGC/A). ANSSI itself is the cyber response and detection division of the French republic.
ANSSI states that the fraudulent certificates were a result of “human error, which was made during a process aimed at strengthening overall IT security”.
“The mistake has had no consequences on the overall network security, either for the French administration or the general public.”
Google states that the certificate was used in a commercial device, on a private network, to inspect encrypted traffic. According to the web giant, users on that network were aware that this was occurring, but the practice was in violation of ANSSI’s procedures.
Google used the incident to highlight the need for its Certificate Transparency project, aimed at fixing flaws in the SSL certificate system that could result in man-in-the-middle attacks and website spoofing. Google’s answer to these flaws is for CAs to adopt a framework that monitors and audits these certificates, thus outing rogue CAs or when certificates are illegitimately issued.
While the framework is open for any CA to adopt, its effectiveness ultimately relies on CAs choosing to participate.
This is not the first time that the flaws of SSL certificates have been exposed. The US National Security Agency is alleged to have used man-in-the-middle attacks through unauthorised certificates against Google in the past. Additionally, in August 2011, a breach at DigiNotar, another CA, found that an Iranian hacker had created rogue certificates for Google domains, intercepting user passwords for Gmail.