Getting certificate management wrong is not uncommon: is Chrome’s revoked Verizon cert a security issue though?
Google’s Chrome browser, used by over a billion users, is shipping with a revoked root certificate at its heart, says British cybersecurity startup Cybersec Innovation Partners (CIP), claiming the revelation exposes a security issue that has remained unpatched by Google despite their disclosure: an allegation that Google denies.
With expired/revoked certs a perennial enterprise pain point, Computer Business Review set about investigating the allegation, made to us by CIP, with supporting evidence including screen shots of the certificate itself.
CIP – founded in 2018 – provides a PKI/software certificate deep discovery and life cycle management platform dubbed Whitethorn that initially developed in Germany for a NATO project. The company found the revoked certificate using the tool ,and alerted Google Chrome developers on May 16, to the sound of a resounding shrug.
Chrome Certificate Issue “Could Leave Users Open to Attack”
CIP’s Paul Foster, former global head of cyber security at HSBC, said: “They notified me on May 24 that this will not be fixed as it would possibly break certificate compression and the only benefit would be reducing the binary size (size of the software driver).”
“Potentially this could open the door to identity spoofing leading to installation and trust of malware as if it came from the vendor itself. So, a user could think they were accessing the log-in page for their internet banking and be on a fraudulent site instead.”
“This could still leave all Chrome users open to attack and certainly shouldn’t be trusted as it breaks the whole chain of trust validation. If users want to be safe, there are alternate browsers in the meantime that could be used until this is remediated.”
With Google Chrome security types proving hard to rouse, Computer Business Review put this to a well-regarded third-party security company, SecureData, whose Andrew Lam took a look at the Chrome.dll file to try to find more details about the cert.
He said: “As illustrated in the PDF [image shared above] the revoked certificate is in the Certificate Revocation List (CRL). Chrome uses the CRL which it pulls it from top CA’s on a regular basis. Therefore Chrome should throw an exception saying the page is not safe! Further more a revoked certificate does not mean it is compromised and not necessarily cracked as it is a SHA256 with RSA 2018 it would be pretty difficult.”
He added: “I have opened up the Certificate file and I cannot find reference to this Verizon certificate but I am on version 75.0.3770.100.”
“Note that a revoked certificate does not mean it is compromised, and not necessarily cracked, as it is a SHA256 with RSA 2018 it would be pretty difficult.”
Chivied for a response, Google emphasised that it is impossible to tell just by looking at the Chrome binary whether a given software certificate is used for a security sensitive purpose, and which is not. CIP had correctly identified that a Chrome certificate had been revoked: and had it been used to determine if a website or connection should be trusted it would certainly be a security bug and patched, they said.
But revoked though it may be, there is no security issue, a spokesman said: “[This cert] is used as part of an optimisation of the QUIC protocol*, to save bandwidth if that certificate were to be sent by a web server. But if a web server or an attacker were to use the certificate, it would not be trusted by Chrome, and the user would be presented with a full page warning similar to https://revoked.badssl.com/“.
That leaves us little clearer on the precise details of its usage, but not all that glitters, in this instance, is a golden vulnerability, apparently; Google is typically responsive to vulnerability disclosures by security researchers.
CIPs enthusiasm – although the company appears to have been inaccurate about the consequences of Chrome shipping with this particular oddity – meanwhile, is understandable: certificate issues have caused myriad issues for companies over the years, most recently in Ericsson’s (expired certificate-triggered) global network outage in December 2018, which affected some 32 million mobile network users.
Equifax, meanwhile, allowed over 300 security certificates to expire, including 79 certificates for monitoring business critical domains, prior to a data breach that exposed the personal data of over 143 million people. Keeping an eye on the state of your software certificates is no bad thing and revocations can be for security reasons.
In this instance though, Google’s response: “thanks, but it’s harmless…”
*A UDP-based transport protocol for the internet, developed by Google with the aim of making web pages load faster by using zero-round-trip connection establishment.