14 DAY TRIAL // Certificate authorities (CAs) are still falling victim to hackers even though many believed that after the DigiNotar incidents faded away things would get back to normal. Recent findings show that at least five other CAs were hit in the past four months.
EFF's Peter Eckersley revealed the partial results of his latest investigations which reveal that HTTPS is still not 100% reliable when it comes to protecting our assets.
“Unfortunately, is still feasible for some attackers to break HTTPS. Leaving aside cryptographic protocol vulnerabilities, there are structural ways for its authentication mechanism to be fooled for any domain, including mail.google.com, www.citibank.com, www.eff.org, addons.mozilla.org, or any other incredibly sensitive service,” Eckersley says.
As there are more than 600 CAs trusted by commercial browsers, all a hacker needs to do is break into the systems of only one of them. With so many companies, chances are that at least some of them don't properly secure their infrastructure and as hackers are highly resourceful, they will eventually find a way to sneak past the security products.
Another way in which a cybercriminal can get his hands on certificates is by compromising a router that's near such a company. This way they are able to intercept incoming and outgoing packets which finally leads to a compromised domain validation.
After studying the Certificate Revocation Lists published by CAs, the researcher concluded that in at least 248 cases a company indicated that it had revoked a certificate due to a breach, in total numbering 15 distinct organizations. When compared to the number of firms that issued such statements in June, the results show that at least five new authorities have joined the ones that suffered an attack.
Each of the incidents could have easily resulted in the broken protection of any website that reasures its customers with the well known padlock.