Importance of SSL certificates – implication from DigiNotar issue –

18 09 2011

Many companies’ website have SSL certificate issued by trusted Certificate Authorities (CA) to prove that the connection between a website and a user’s browser is secure. It helps them not to be stolen private information such as health history and credit card numbers.

So what happens if a trusted Certificate Authorities issues fraudulent certificates? You can’t distinguish whether the website you are visiting is fishing site or not. Even if you are encrypting your transaction, someone might be able to steal your user ID and password.

And it HAPPNED on Aug 29th. The news said [1], “An Iranian user reported that there is the threat of man-in-the-middle attacks using a fake SSL certificate that was circulating as of Aug. 29. The fake certificate, which was legitimately signed, was displayed when logging into Google’s Gmail.”

This SSL certificate was issued by a Dutch CA called DigiNotar. They had an illegal access to their site on July 19th and issued more than 500 fraudulent certificates for major domains such as google.com, skype.com, http://www.facebook.com, *.windowsupdate.com, and the Dutch government official websites.

Most of the browser vendors reacted immediately to distribute the updates to ignore the SSL certificates issued by DigiNotar. However, there may be some people whose private information was stolen during July 19th and Aug 29th.

This year, we’ve seen a lot of news related to security issues started from Sony’s case [2]. It’s hard to protect ourselves if the Hackers hack the companies which we believe. However, I think we can do at least two things to mitigate the risks. One is that keep updating the latest version of updates for each software. And the other is that try to understand the basic technical aspect of the issues. In DigiNotar case, without understanding of SSL certificate, we don’t know how much impact it may have.

[1] http://www.eweek.com/c/a/Security/Fake-Google-SSL-Certificate-Emerges-With-Ability-to-Hijack-User-Accounts-270126/

[2] http://ctoinsights.trendmicro.com/2011/06/what-we-can-learn-from-recent-hacks/

Advertisements

Actions

Information

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s




%d bloggers like this: