Google: Maintaining digital certificate security

It seems it was about time for another certificate authority horror story;the Google Online Security Blog duly delivers."CNNIC responded on the 22nd to explain that they had contracted withMCS Holdings on the basis that MCS would only issue certificates fordomains that they had registered. However, rather than keep the private keyin a suitable HSM, MCS installed it in a man-in-the-middle proxy. Thesedevices intercept secure connections by masquerading as the intendeddestination and are sometimes used by companies to intercept theiremployees' secure traffic for monitoring or legal reasons. The employees'computers normally have to be configured to trust a proxy for it to be ableto do this. However, in this case, the presumed proxy was given the fullauthority of a public CA, which is a serious breach of the CAsystem."