In a previous post we discussed how SSL was developed & how SSL and certificate authorities (CA) help to protect information that is transferred over the internet. But recently there had been a lot of talk about the trustworthiness of certificate authorities. This discussion was sparked by the discovery of a certificate authority being compromised by hackers. Using this CA hackers manage to issue fake certificates for Google, Yahoo!, Mozilla, WordPress and others. Not long after, another widely used CA was hacked, at present at least four CAs are suspected to have been compromised.
The problem is any trusted root CA or a sub CA can issue a certificate for any w

ebsite on the internet. If the certificate is requested through standard certificate request process the CA would generally validate the ownership of the site, but if a hacker manages get control of the CA they can issue certificates for any site they wish. Root certificates of all trusted CAs are stored on popular web browsers like IE, Firefox and Chrome. Because of this any certificate, even a fake one, issued by a trusted root CAs is displayed as a trust SSL encrypted website.
Several alternatives have been suggested recently like DNSSEC and certificate pinning but for the foreseeable future certificates authorities will continue to be the primary method of site identity verification. Although there had been security breaches, SSL & certificate authorities continue to protect millions of transaction every day.

Tagged with:

Filed under: Security

Like this post? Subscribe to my RSS feed and get loads more!