Shulou(Shulou.com)06/01 Report--

This article is about how to deal with forged SSL certificates. I think it is very practical, so I share it with you. I hope you can get something after reading this article. Let's take a look at it. Billions of Internet users blindly rely on hundreds of certification authorities around the world to ensure the confidentiality and integrity of their personal data.

Certificate Authority and its role

The Certification Authority (CA) is a trusted third-party organization that publishes and manages SSL/TLS certificates.

There are hundreds of trusted certification authorities around the world, and any one of them has the right to issue a valid SSL certificate for your domain name, although you may have purchased one from a certification authority.

Yes, this is the biggest vulnerability in the CA system.

SSL's chain of trust is broken.

Last year, Google discovered that Symantec, one of the certification authorities, had issued an one-day pre-signed certificate for the Google domain name without Google's knowledge.

This is not the first time that the authority of certification authorities has been abused or wrongly used to issue fake digital certificates, putting the privacy of millions of Internet users at risk.

In March 2011, a hacker hacked into Comodo, a well-known certification authority, and stole nine digital certificates from seven Web domains, including mail.google.com, addons.mozilla.org and login.yahoo.com. In the same year, the Dutch certification authority DigiNotar was also hacked and issued a large number of forged certificates.

Millions of users have been attacked by man-in-the-middle due to the rupture of the chain of trust.

In addition, documents leaked by Edward Snowden revealed that the National Security Agency had intercepted and cracked a large number of HTTPS-encrypted Web sessions, suggesting that some so-called trusted certification authorities may have been controlled or authorized by the government.

What if the government requires some of these certification authorities to issue fake SSL certificates from famous websites, such as Facebook, Google, or Yahoo?

This is not a conjecture, but it actually happened. Government agencies and some government-funded hackers abuse trusted certification authorities to obtain fake digital certificates of well-known websites and use them to monitor users.

Some cases involving the government

1) in 2011, forged digital certificates issued by DigiNotar certification authorities were used to attack the Gmail accounts of some 300000 Iranian users.

2) in late 2013, Google discovered that the French government had forged the digital certificate of its domain name and used it to carry out man-in-the-middle attacks.

3) in 2014, Google confirmed another incident: the National Information Center of India used an unauthorized digital certificate for its domain name.

At this point, you can see how fragile the security given to HTTPS encrypted websites by so-called certification authorities is.

Do you still blindly trust certification authorities?

The events of DigiNotar and Comodo have sounded the alarm for us and put an end to the era of blind trust in certificate authorities.

Question: how do you check if a forged certificate pointing to your domain name has been issued to others or even used by an attacker?

Answer: the Certificate Transparency Certificate Transparency project aims to provide an open audit and monitoring system that allows any domain name owner or certification authority to determine whether the certificate has been mistakenly issued or maliciously used, thereby improving the security of HTTPS websites.

In 2013, Google launched an industry-wide initiative called Certificate Transparency Certificate Transparency, an open source project to record, audit and monitor digital certificates issued by certification authorities.

What is a certificate transparency system?

The Certificate Transparency Project consists of three parts:

Certificate log

Certificate monitoring

Certificate audit

The Certificate Transparency Project requires certification authorities to publicly announce each digital certificate they issue (record it in the certificate log). Certificate logs provide users with a way to find all digital certificates issued by a given domain name.

It is worth noting that the certificate transparency model does not replace the traditional certification authority-based authentication process, it just provides you with a way to ensure that your certificate is unique.

Certificate logs have three advantages:

Only attachments are allowed: certificate records can only be added, not deleted, modified, or retroactively inserted into the log.

Reliable encryption: certificate logs use the well-known "Merkle Tree Hashes" encryption mechanism to prevent tampering.

Public audit: anyone can query the log or verify that the issued digital certificate has been reasonably recorded in the log.

In the Certificate Transparency Project, each digital certificate contains a certificate timestamp that proves that the digital certificate has been logged before it is issued.

Google, DigiCert, Symantec and some certification authorities currently manage these public logs.

Although certificate transparency does not prevent certification authorities from issuing forged digital certificates, it makes it easier for us to find them.

Certificate transparency will allow people to quickly identify digital certificates that have been mistakenly or maliciously issued to alleviate possible security problems, such as man-in-the-middle attacks.

Earlier this year, the Certificate Transparency system and monitoring services helped the facebook security team detect fake certificates from multiple fb.com subdomains in advance.

In another article, I detailed the certificate transparency monitoring service provided by facebook, which can automatically and quickly discover problems with SSL certificates.

Facebook has confirmed to The Hacker News (THN) that a pilot certificate transparency monitoring service will be available to more communities free of charge in the coming months.

Certificate Transparency search tool

Does that sound like fun?

Comodo has launched a certificate transparency search tool that lists all certificates issued for a given domain name. Alternatively, you can try Google's certificate transparency query tool, which can query all issued certificates for any given domain name in the currently public certificate transparency log.

The above is how to deal with forged SSL certificates. The editor believes that there are some knowledge points that we may see or use in our daily work. I hope you can learn more from this article. For more details, please follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.