A Chinese certificate authority handed out a base certificate for GitHub and the University of Central Florida to a security researcher. The incident occurred more than a year ago in July 2015 but went unreported, and it was the second time the researcher was able to obtain a base certificate from WoSign. Brian Spector, CEO at MIRACL commented below.
Brian Spector, CEO at MIRACL:
“This incident highlights just how easy it is for attackers to take advantage of the lax controls around commercial certificate authorities in order to achieve their goals. When hackers gain access to a legitimate code signing certificate, it’s like a criminal posing as a police officer with a real police officer’s badge, because there’s no way to tell the difference between a fraudulently issued certificate and a real one.
“Due to the way they are structured, certificate authorities create a single point of compromise which attackers can easily exploit. Unfortunately the vulnerabilities in Public Key Infrastructure (PKI), the architecture behind CAs, have been common knowledge for at least 15 years, and each hack just makes the situation worse.
“But the industry is already working on a solution. By distributing trust between several locations, rogue people and practices can be self-governed, and the web can continue to grow and expand more securely to meet its needs for the future. Efforts to replace the outdated CA system with a new distributed cryptosystem are already underway and incubating at the Apache Foundation. It won’t be long before certificate authorities are consigned to the history books.”