Human error has been blamed in relation to an incident where digital certificates were signed that claimed to belong to the French administration.
The French security agency said in a statement that an effort to “strengthen the overall IT security of the French Ministry of Finance” led to digital certificates being signed by the certification authority (CA) of the DGTrésor (Treasury) which is attached to the agency.
It said: “The mistake has had no consequences on the overall network security, either for the French administration or the general public. The aforementioned branch of the IGC/A has been revoked preventively.
“The reinforcement of the whole IGC/A process is currently under supervision to make sure no incident of this kind will ever happen again.”
The issue was initially detected by Google, where security engineer Adam Langley said that it became aware of unauthorised digital certificates for several Google domains and after investigation, it found that the certificate was issued by an intermediate CA that linked back to ANSSI, a French certificate authority. “Intermediate CA certificates carry the full authority of the CA, so anyone who has one can use it to create a certificate for any website they wish to impersonate,” he said.
He confirmed that Chrome’s certificate revocation metadata was updated to block that intermediate CA, and it alerted ANSSI and other browser vendors.
“ANSSI has found that the intermediate CA certificate was used in a commercial device, on a private network, to inspect encrypted traffic with the knowledge of the users on that network. This was a violation of their procedures and they have asked for the certificate in question to be revoked by browsers. We updated Chrome’s revocation metadata again to implement this,” he said.