Google Stares Down Yet Another Fraudulent SSL/TLS Certificate
Page 1 of 1
On March 23 Google reported that unauthorized certificates for Google domains were issued by MCS Holdings, which is an intermediate certificate authority under CNNIC. Because CNNIC is a trusted CA that is included in every major Web browser, the certificate might have been trusted by default, even though it wasn't legitimate.
Google, thanks to its own past experience, leverages HTTP public key pinning (HPKP) in Chrome and Firefox. With HPKP, sites can "pin" certificates that they will allow. As such, fraudulent certificates not pinned by Google would not be accepted as authentic.
"We promptly alerted CNNIC and other major browsers about the incident, and we blocked the MCS Holdings certificate in Chrome with a CRLSet push," Google Security Engineer Adam Langley wrote in a blog post. "Chrome users do not need to take any action to be protected by the CRLSet updates."