In the last few years, a significant increase in the security breaches of certificate authorities (CA) has caused many to question the reliability and security of the digital certificate system. The attacks on Comodo and DigiNotar were widely known significant CAs security breaches, but they are not alone. There were dozens of other CA breaches that simply did not make the news.
Generally, when a CA has a breach, any potentially compromised certificates are revoked. Once the body of clients updates their certificate revocation list (CRL) or queries an OCSP (Online Certificate Status Processing) server, the offending certificates are no longer of concern. The compromise of Comodo was handled in this manner.
When significant breaches are discovered that may affect the majority of certificates issued by a CA, as happened in the case of DigiNotar, the world community rejected not just the CA’s certificates but the whole CA. Every major browser and operating system vendor distributed an update to their software which removed the DigiNotar CA from the TRL (Trusted Root List) of locally trusted CA’s. This effectively cut off DigiNotar from being able to sell certificate services, causing it to shut its doors.
Both breaches, that of Comodo and DigiNotar, were due to vulnerabilities in their Web services. Hopefully other CAs have learned from their example and have taken steps to plug similar holes and prevent repeat performances on their certificate systems.
One of the reasons for the severe and abrupt reaction to the DigiNotar breach was the fact that signs of security comprises could be traced back to as early as 2009 by Iranian and Turkish hackers. Based on the years of possible control by malicious hackers, it was unknown how many certificates had been fraudulently issued. The only possible option to protect the general population of Internet users against abuses by these imposter certificates was to shut down acceptance of their certificates.
During subsequent investigations it was discovered that at least 531 false certificates were issued. These certificates were issued using the identities of Google, Yahoo, Mozilla, WordPress, The TOR Project, and other highly popular sites. An unknown number of false Web sites were “signed” and verified using the fraudulent certificates. It is unknown how many Internet users were fooled by the subterfuge.
In my next post, I’ll explain in further detail how security breaches of certificate authorities take place.