We know that numerous retailers and banks, as well as social media websites, use secure websites — HTTPS — to provide online security. Your web browser can tell if a website is a “secure” one if it has “https” in its URL and it will display a small lock symbol next to that URL. SSL, (Secure Sockets Layer) the technology behind HTTPS, creates an encrypted tunnel between a website and your browser which, in theory, ensures that all data passed between them remains hidden from any eavesdroppers in transit.
The catch is that an SSL-secured website is only safe to use if you are sure that the website is real. It’s possible for hackers to create fake websites that look very much like the real thing and if you enter your login information into a fake website, the hacker can use this information to impersonate you and log into your account on the real website.
How can you (or better yet, your browser) tell if a website is the real thing or not? By using something called SSL certificates, which are created and managed by certificate authorities.
Understanding Certificate Authorities
A certificate authority (CA) is a trusted organization that issues and manages SSL certificates and associated public and private keys used by secure websites. When a user visits a secure website, the browser receives the website’s SSL certificate, digitally signed by the CA and the website itself, using a private key known only to the website operator.
The browser already knows the public key of many trusted certificate authorities and can use them to verify the certificate’s CA signature in order to trust the website’s certificate. The browser then uses a public key in the signed certificate to verify the website’s own signature, thereby confirming that you have browsed to the real website and not an imposter.
So long as a fake website does not know the website’s corresponding private key, it cannot create the signature needed to verify the website’s authenticity.
The Problem with Certificate Authorities
The issue is that these SSL certificates can be forged or stolen. Hackers can create their own look-alike SSL certificates, signed by their own CAs. Alternatively, hackers can steal certificates and private keys from CAs or website owners with lax system security. These faked or stolen SSL certificates can then be installed on fake websites in order to perform man in the middle attacks or attach malware that infects your computer.
Back in 2011, DigiNotar, a Dutch firm which issues these certificates, admitted that hackers had stolen over 500 of their digital certificates, including those for intelligence sources such as the CIA, the UK’s M16 and Israel’s Mossad, as well as Microsoft, Yahoo, Skype, Facebook, and Twitter. Researchers think that these hackers originated from Iran.
In response, Google and Mozilla indicated that they would permanently block all digital certificates issued by DigiNotar.
These kinds of thefts highlight yet another HTTPS vulnerability, and show why we should not assume that secure websites are foolproof in terms of our online security.