Search By Topic:

Popular Topics:



News & Features | Mar 28th, 2014

The Dubious World of Website Certificate Authorities

Jared Howe

SLL Security SafetyMany assume that if a website uses HTTPS (Hypertext Transfer Protocol Secure), it’s completely secure, but a deeper look into the website certificates indicates otherwise.

We know that numerous retailers and banks, as well as social media websites, use secure websites — HTTPS  — to provide online security. Your web browser can tell if a website is a “secure” one if it has “https” in its URL and it will display a small lock symbol next to that URL. SSL, (Secure Sockets Layer) the technology behind HTTPS, creates an encrypted tunnel between a website and your browser which, in theory, ensures that all data passed between them remains hidden from any eavesdroppers in transit.

The catch is that an SSL-secured website is only safe to use if you are sure that the website is real. It’s possible for hackers to create fake websites that look very much like the real thing and if you enter your login information into a fake website, the hacker can use this information to impersonate you and log into your account on the real website.

How can you (or better yet, your browser) tell if a website is the real thing or not? By using something called SSL certificates, which are created and managed by certificate authorities.

Understanding Certificate Authorities

A certificate authority (CA) is a trusted organization that issues and manages SSL certificates and associated public and private keys used by secure websites. When a user visits a secure website, the browser receives the website’s SSL certificate, digitally signed by the CA and the website itself, using a private key known only to the website operator.

The browser already knows the public key of many trusted certificate authorities and can use them to verify the certificate’s CA signature in order to trust the website’s certificate. The browser then uses a public key in the signed certificate to verify the website’s own signature, thereby confirming that you have browsed to the real website and not an imposter.

So long as a fake website does not know the website’s corresponding private key, it cannot create the signature needed to verify the website’s authenticity.  

The Problem with Certificate Authorities

The issue is that these SSL certificates can be forged or stolen. Hackers can create their own look-alike SSL certificates, signed by their own CAs. Alternatively, hackers can steal certificates and private keys from CAs or website owners with lax system security. These faked or stolen SSL certificates can then be installed on fake websites in order to perform man in the middle attacks or attach malware that infects your computer.

Back in 2011, DigiNotar, a Dutch firm which issues these certificates, admitted that hackers had stolen over 500 of their digital certificates, including those for intelligence sources such as the CIA, the UK’s M16 and Israel’s Mossad, as well as Microsoft, Yahoo, Skype, Facebook, and Twitter. Researchers think that these hackers originated from Iran.

In response, Google and Mozilla indicated that they would permanently block all digital certificates issued by DigiNotar.

These kinds of thefts highlight yet another HTTPS vulnerability, and show why we should not assume that secure websites are foolproof in terms of our online security.

Associated Topics:

Associated Topics:


Related Posts

Avira Offers PRIVATE WiFi’s VPN As Part of New Bundle

News & Features
Jared Howe | May 14th, 2015

Germany-based security company, Avira, just announced the release of a new bundled product which includes both their Antivirus Pro and PRIVATE WiFi.  This bundle protects users from both malware infection and data theft. Read More

How To: Safari Privacy and Security Settings

Jared Howe | May 5th, 2015

To edit the security settings for Safari:

  1. Go to Safari > Preferences.
  2. Click the AutoFill tab.
  3. On this tab, select what types of forms your browser fills in automatically.
    Note: In general, you should remove all the checkboxes

Read More

How To: Internet Explorer Privacy and Security Settings

Jared Howe | May 5th, 2015

Internet Explorer has security measures in place to help protect you as you browse the web.

Follow these steps to adjust these settings:

  1. Within Internet Explorer, go to Tools > Internet Options. The Internet Options window appears.
  2. Select the

Read More

How To: Managing Your iPhone Security

Jared Howe | May 5th, 2015

Smartphones, like the iPhone, have become increasingly important to our modern lives, and accessing account and professional content is shifting more towards mobile devices. The iPhone has security options that you can use, which are listed below.

Use a Passcode Read More


Thank you for subscribing to our newsletters

Your email has been added to our system. You will be e-mailed shortly with a request to confirm your membership. Please make sure to click the link in that message to confirm your subscription.