A Chinese certificate authority handed out a base certificate for GitHub and the University of Central Florida to a security researcher. The incident occurred more than a year ago in July 2015 but went unreported, and it was the second time the researcher was able to obtain a base certificate from WoSign. Brian Spector, CEO at MIRACL commented below.
Brian Spector, CEO at MIRACL:
“This incident highlights just how easy it is for attackers to take advantage of the lax controls around commercial certificate authorities in order to achieve their goals. When hackers gain access to a legitimate code signing certificate, it’s like a criminal posing as a police officer with a real police officer’s badge, because there’s no way to tell the difference between a fraudulently issued certificate and a real one.
“Due to the way they are structured, certificate authorities create a single point of compromise which attackers can easily exploit. Unfortunately the vulnerabilities in Public Key Infrastructure (PKI), the architecture behind CAs, have been common knowledge for at least 15 years, and each hack just makes the situation worse.
“But the industry is already working on a solution. By distributing trust between several locations, rogue people and practices can be self-governed, and the web can continue to grow and expand more securely to meet its needs for the future. Efforts to replace the outdated CA system with a new distributed cryptosystem are already underway and incubating at the Apache Foundation. It won’t be long before certificate authorities are consigned to the history books.”
Most Commented Posts
2020 Cybersecurity Landscape: 100+ Experts’ Predictions
Cyber Security Predictions 2021: Experts’ Responses
Experts’ Responses: Cyber Security Predictions 2023
Data Privacy Protection Day (Thursday 28th) – Experts Comments
Experts Insight On US Pipeline Shut After Cyberattack
Most Active Commenters
Recent Comments
“Cybersecurity Awareness Month’s new evergreen theme "Secure Our World” is…
“Avoid storing data on personal devices: A crucial but often overlooked…
“I recommend a new nuance to passwords that isn’t often…
“In my role overseeing cloud environments and incident response, I'm…
“Cybersecurity Awareness Month serves as a reminder to confront the…