14 DAY TRIAL // France’s National Agency for the Security of Information Systems (ANSSI) says that it has identified some certificates erroneously issued by an intermediate certificate authority (CA).
“As a result of a human error which was made during a process aimed at strengthening the overall IT security of the French Ministry of Finance, digital certificates related to third-party domains which do not belong to the French administration have been signed by a certification authority of the DGTrésor (Treasury) which is attached to the IGC/A,” ANSSI noted.
“The mistake has had no consequences on the overall network security, either for the French administration or the general public. The aforementioned branch of the IGC/A has been revoked preventively.”
After the certificates were detected, ANSSI asked browser vendors to revoke the certificates in question.
Google says that it has updated Chrome’s revocation metadata to revoke the certificates. The search engine giant said that it became aware of the unauthorized certificates, which were used for several Google domains, on December 3.
The company immediately notified ANSSI, which clarified that the certificate issued by the intermediate CA had been used to inspect encrypted traffic on a private network. Users on that network were aware of it, but since the incident represents a violation of the French agency’s procedures, the certificates in question have been revoked.
Opera has also updated its products to blacklist the intermediate certificate after being alerted by Google. Users are not required to take any action since the browser update is pushed out automatically.
The company highlights the fact that Opera 12 users are not impacted since this version of the web browser had never trusted ANSSI certificates.
“The update demonstrates how Opera can ensure the safety of users, even when CAs misbehave, and even though we no longer operate our own root store,” Opera developer Sigbjørn Vik explained.