Google Online Security Blog 上公佈了一篇他們最近的發現,並且發佈 Google Chrome 的安全性更新:「Improved Digital Certificate Security」。
原因出自於 Thawte (Symantec) 發出 www.google.com
的 EV SSL certificate:
On September 14, around 19:20 GMT, Symantec’s Thawte-branded CA issued an Extended Validation (EV) pre-certificate for the domains google.com and www.google.com. This pre-certificate was neither requested nor authorized by Google.
Google 在 Certificate Transparency 上發現:
We discovered this issuance via Certificate Transparency logs, which Chrome has required for EV certificates starting January 1st of this year. The issuance of this pre-certificate was recorded in both Google-operated and DigiCert-operated logs.
對應的 certificate 紀錄可以在「crt.sh | 9314698」這邊看到,包括了 public key 資訊。
然後 Google 跟 Symantec 確認後認定是內部測試造成的 (...):
During our ongoing discussions with Symantec we determined that the issuance occurred during a Symantec-internal testing process.
並且發出安全性更新把這把 key 放到 Google Chrome 的 revocation metadata 裡:
We have updated Chrome’s revocation metadata to include the public key of the misissued certificate. Additionally, the issued pre-certificate was valid only for one day.
一天的內部測試嗎?我怎麼覺得更像是 APT 攻擊?
最後補充一下,在 Google Chrome 裡面 *.google.com
的網段的 SSL certificate 是被特別保護的,可以參考「transport_security_state_static.json」這邊的 JSON 資料,裡面可以看到這幾段:
{ "name": "google", "static_spki_hashes": [ "GoogleBackup2048", "GoogleG2", "GeoTrustGlobal" ], "report_uri": "http://clients3.google.com/cert_upload_json" },
以及:
// (*.)google.com, iff using SSL, must use an acceptable certificate. { "name": "google.com", "include_subdomains": true, "pins": "google" },
也就是只有 Google 自己的 CA 與 GeoTrust 的 CA 是被允許發出 www.google.com 的 SSL certificate (至少在 Google Chrome 裡面會被保護到)。而 GeoTrust 也是 Symantec 的牌子。
如果讓我以陰謀論的角度來猜,這更像是在測試有會有哪些管道通報會讓 Google 發現。