Further evidence of Certificate Authority break-ins
In a feature article on the security of SSL, Peter Eckersley from the Electronic Frontier Foundation has said that at least five Certificate Authorities (CAs) have been compromised in the past four months. Eckersley extracted this information from the revocation lists that are released by the CAs.
These "Certificate Revocation Lists" (CRLs) contain certificates that can no longer be considered valid. CAs revoke certificates for a variety of reasons – for example, when customers close down a business division (cessation of operation) or lose their secret key (key compromise). What was notable was the inclusion of 248 cases in the CRLs where the stated reason was that the responsible Certificate Authority had been compromised. Up to June 2011, only 55 certificates were revoked for this reason. The nearly 200 certificates that have been revoked since then were issued by four different CAs.
This means that, within only four months, hackers compromised at least five CAs in order to issue unauthorised certificates. And that is only the absolute minimum. In the large majority of cases – over 900,000 in total – the CRL issuer chose not to fill in the field where a reason can be given. Such CA intrusions are problematic because any of the accredited Certificate Authorities can issue certificates for any web page. Browsers will accept them without complaint – and that applies to Gmail as much as to Deutsche Bank's online banking facility. According to SSL Observatory, our browsers trust more than 600 CAs in over 50 countries.
Update: The EFF detected an error in deduplication of CA organisations and corrected the number of compromised CAs from 5 to 4 (See Update 27/10/2011). The H has updated this article to reflect that change.
- CA DigiNotar bankrupt after SSL certificate debacle, a report from The H.
- Fake Google certificate is the result of a hack, a report from The H.
- Single hacker claims responsibility for Comodo certificate theft, a report from The H.