Search By Topic:

Popular Topics:



News & Features | Mar 28th, 2014

The Dubious World of Website Certificate Authorities

Jared Howe

SLL Security SafetyMany assume that if a website uses HTTPS (Hypertext Transfer Protocol Secure), it’s completely secure, but a deeper look into the website certificates indicates otherwise.

We know that numerous retailers and banks, as well as social media websites, use secure websites — HTTPS  — to provide online security. Your web browser can tell if a website is a “secure” one if it has “https” in its URL and it will display a small lock symbol next to that URL. SSL, (Secure Sockets Layer) the technology behind HTTPS, creates an encrypted tunnel between a website and your browser which, in theory, ensures that all data passed between them remains hidden from any eavesdroppers in transit.

The catch is that an SSL-secured website is only safe to use if you are sure that the website is real. It’s possible for hackers to create fake websites that look very much like the real thing and if you enter your login information into a fake website, the hacker can use this information to impersonate you and log into your account on the real website.

How can you (or better yet, your browser) tell if a website is the real thing or not? By using something called SSL certificates, which are created and managed by certificate authorities.

Understanding Certificate Authorities

A certificate authority (CA) is a trusted organization that issues and manages SSL certificates and associated public and private keys used by secure websites. When a user visits a secure website, the browser receives the website’s SSL certificate, digitally signed by the CA and the website itself, using a private key known only to the website operator.

The browser already knows the public key of many trusted certificate authorities and can use them to verify the certificate’s CA signature in order to trust the website’s certificate. The browser then uses a public key in the signed certificate to verify the website’s own signature, thereby confirming that you have browsed to the real website and not an imposter.

So long as a fake website does not know the website’s corresponding private key, it cannot create the signature needed to verify the website’s authenticity.  

The Problem with Certificate Authorities

The issue is that these SSL certificates can be forged or stolen. Hackers can create their own look-alike SSL certificates, signed by their own CAs. Alternatively, hackers can steal certificates and private keys from CAs or website owners with lax system security. These faked or stolen SSL certificates can then be installed on fake websites in order to perform man in the middle attacks or attach malware that infects your computer.

Back in 2011, DigiNotar, a Dutch firm which issues these certificates, admitted that hackers had stolen over 500 of their digital certificates, including those for intelligence sources such as the CIA, the UK’s M16 and Israel’s Mossad, as well as Microsoft, Yahoo, Skype, Facebook, and Twitter. Researchers think that these hackers originated from Iran.

In response, Google and Mozilla indicated that they would permanently block all digital certificates issued by DigiNotar.

These kinds of thefts highlight yet another HTTPS vulnerability, and show why we should not assume that secure websites are foolproof in terms of our online security.

Associated Topics:

Associated Topics:


Related Posts

The Three Legs of Protection: Antivirus Software, Firewalls, and VPNs

Thought Leadership
Kent Lawson | Apr 15th, 2015

We've all heard about antivirus software and firewalls. But we probably don’t know as much about the third leg of computer protection: a VPN, or virtual private network. In his latest article, company CEO Kent Lawson says we do this at our peril, because the damage we can suffer from not using a VPN may far outweigh the risks of the other two combined. After the large-scale hack attacks over the past few years, VPNs are now earning their spot as the third security leg that is vital to every-day computer security. Read More

New Hotel WiFi Vulnerability

Thought Leadership
Alok Kapur | Apr 9th, 2015

Earlier this year, the FTC declared a critical announcement for travelers: hotel WiFi is dangerous. Many people assume that because they are paying for it the network must be safe, but that is a dangerous assumption. Hotel WiFi networks are completely insecure; the bad news is that a new exposure in hotel WiFi has just been found. Read more to find out how you can keep yourself protected. Read More

Cyber Security Training Just As Important at C-Level

Thought Leadership
Eva Velasquez | Mar 24th, 2015

The need for better online safety training to prevent data breaches is a hot topic right now. Coupled with stronger computer and network policies, companies want to prevent the hacking events that leave businesses susceptible to a data breach. While it’s no secret that employees in both the private sector and government service can unintentionally expose organizations to hackers, what is surprising is a report by Wombat Security that shows that 33% of CEOs fell for phishing attacks that led to network access. Why are they falling for this kind of internet activity? Read More

E-filing: The Fastest and Safest Way to File Taxes?

Thought Leadership
Eva Velasquez | Mar 9th, 2015

E-filing your annual return to the IRS offers speed and convenience and when coupled with industry-approved software that can plug in the values for you, a lot of the headaches traditionally associated with doing your taxes are eliminated. However, there are some potential dangers that you should be aware of, such as insecure public WiFi networks and online tax fraud. Read More


Thank you for subscribing to our newsletters

Your email has been added to our system. You will be e-mailed shortly with a request to confirm your membership. Please make sure to click the link in that message to confirm your subscription.