Importance of SSL certificates – implication from DigiNotar issue –

18 09 2011

Many companies’ website have SSL certificate issued by trusted Certificate Authorities (CA) to prove that the connection between a website and a user’s browser is secure. It helps them not to be stolen private information such as health history and credit card numbers.

So what happens if a trusted Certificate Authorities issues fraudulent certificates? You can’t distinguish whether the website you are visiting is fishing site or not. Even if you are encrypting your transaction, someone might be able to steal your user ID and password.

And it HAPPNED on Aug 29th. The news said [1], “An Iranian user reported that there is the threat of man-in-the-middle attacks using a fake SSL certificate that was circulating as of Aug. 29. The fake certificate, which was legitimately signed, was displayed when logging into Google’s Gmail.”

This SSL certificate was issued by a Dutch CA called DigiNotar. They had an illegal access to their site on July 19th and issued more than 500 fraudulent certificates for major domains such as google.com, skype.com, http://www.facebook.com, *.windowsupdate.com, and the Dutch government official websites.

Most of the browser vendors reacted immediately to distribute the updates to ignore the SSL certificates issued by DigiNotar. However, there may be some people whose private information was stolen during July 19th and Aug 29th.

This year, we’ve seen a lot of news related to security issues started from Sony’s case [2]. It’s hard to protect ourselves if the Hackers hack the companies which we believe. However, I think we can do at least two things to mitigate the risks. One is that keep updating the latest version of updates for each software. And the other is that try to understand the basic technical aspect of the issues. In DigiNotar case, without understanding of SSL certificate, we don’t know how much impact it may have.

[1] http://www.eweek.com/c/a/Security/Fake-Google-SSL-Certificate-Emerges-With-Ability-to-Hijack-User-Accounts-270126/

[2] http://ctoinsights.trendmicro.com/2011/06/what-we-can-learn-from-recent-hacks/