A Chinese certificate authority handed out a base certificate for GitHub and the University of Central Florida to a security researcher. The incident occurred more than a year ago in July 2015 but went unreported, and it was the second time the researcher was able to obtain a base certificate from WoSign. Brian Spector, CEO at MIRACL commented below.
Brian Spector, CEO at MIRACL:
“This incident highlights just how easy it is for attackers to take advantage of the lax controls around commercial certificate authorities in order to achieve their goals. When hackers gain access to a legitimate code signing certificate, it’s like a criminal posing as a police officer with a real police officer’s badge, because there’s no way to tell the difference between a fraudulently issued certificate and a real one.
“Due to the way they are structured, certificate authorities create a single point of compromise which attackers can easily exploit. Unfortunately the vulnerabilities in Public Key Infrastructure (PKI), the architecture behind CAs, have been common knowledge for at least 15 years, and each hack just makes the situation worse.
“But the industry is already working on a solution. By distributing trust between several locations, rogue people and practices can be self-governed, and the web can continue to grow and expand more securely to meet its needs for the future. Efforts to replace the outdated CA system with a new distributed cryptosystem are already underway and incubating at the Apache Foundation. It won’t be long before certificate authorities are consigned to the history books.”
Most Commented Posts
2020 Cybersecurity Landscape: 100+ Experts’ Predictions
Cyber Security Predictions 2021: Experts’ Responses
Experts’ Responses: Cyber Security Predictions 2023
Celebrating Data Privacy Day – 28th January 2023
Data Privacy Protection Day (Thursday 28th) – Experts Comments
Most Active Commenters
Recent Comments
Meta’s fine over data privacy breaches underscores the critical challenges…
Hi, Thanks, that is really useful information. I do have…
“This is a very worrying attack that hit T-Mobile and…
“This latest cyberattack against T-Mobile may be smaller than previous…
“Genesis Market is a complex global criminal access marketplace. Buyers…