SSL certificate forgery

SSL

SSL certificates are one of the most important elements ensuring Internet security.
Despite the enormous security measures they offer, we should not forget that human ingenuity knows no bounds, and criminals are so organized and determined that they will exploit any loophole in defense — unfortunately, such weaknesses have already been found in SSL certificates in the past. Fortunately, the system provides a high level of security, and certificate forgery is extremely rare and requires a tremendous amount of work. It is also simple to detect, which allows certificate providers and browser manufacturers to respond quickly and protect Internet users.

How does SSL certificate forgery occur?

It should be remembered that SSL certificates are the most secure protection for website users; their registration and issuance are meticulously monitored, and any entity applying for an SSL certificate is subject to verification. Given this wide-ranging control, individuals and organizations seeking to obtain fake certificates primarily have two options:

  1. Break into the CA (Certification Authority), the certificate provider, making it possible to steal the keys.
  2. Break into the account of one of the users of the RA (Registration Authority), which would allow them to manually issue themselves a certificate.

An attack can be carried out by obtaining at least partial DNS access or by an insider attack, which is why hackers often use gateways to the network or computers located in the target network. Often, it is therefore necessary to infect the Ethernet appropriately. Another alternative for obtaining a fake SSL certificate is a dishonest provider — this method of fraud was once used by the French intelligence agency.

Which websites do fraudsters target?

Interestingly, in addition to bank websites and other services handling Internet payments, fraudsters also impersonate websites that collect information. For example, in 2011, certificates for login.live.com, mail.google.com, www.google.com, login.yahoo.com, login.skype.com, and addons.mozilla.org were successfully forged. It is also worth noting that, aside from individual hackers and independent groups, the intelligence services of various states — including Iran, Russia, and France — have been caught forging certificates.

How to defend against fake certificates?

We are often protected against fake certificates by the browser providers themselves. The most popular web browsers have certificate blacklists that are updated as soon as they receive information about a potential attack. Google itself, due to how often it became a victim of certificate forgery, introduced an additional security feature in its browser called public key pinning. The browser stores information about Google’s keys, making it possible to verify whether the SSL certificates for Google sites are authentic. Unfortunately, only the services belonging to the Silicon Valley giant are protected by this measure.

Another interesting solution is Mutually Endorsing CA Infrastructure — verifying the certificate takes place by confirming it through three randomly selected authorities that issue SSL certificates. If one of these CAs does not confirm the validity of the certificate, the user will be notified of potential fraud.

An alternative is also TACK (Trust Assertion for Certificate Keys) — HTTPS websites sign a valid SSL certificate with a special TACK key together with the domain name and its expiration date. The browser stores information about the site, the certificate, and the key when the user visits the site. If the certificate is forged, the session will be terminated and the user will receive an appropriate warning.

Leave your comment