A Chinese certificate authority handed out a base certificate for GitHub and the University of Central Florida to a security researcher. The incident occurred more than a year ago in July 2015 but went unreported, and it was the second time the researcher was able to obtain a base certificate from WoSign. Brian Spector, CEO at MIRACL commented below.
Brian Spector, CEO at MIRACL:
“Due to the way they are structured, certificate authorities create a single point of compromise which attackers can easily exploit. Unfortunately the vulnerabilities in Public Key Infrastructure (PKI), the architecture behind CAs, have been common knowledge for at least 15 years, and each hack just makes the situation worse.
“But the industry is already working on a solution. By distributing trust between several locations, rogue people and practices can be self-governed, and the web can continue to grow and expand more securely to meet its needs for the future. Efforts to replace the outdated CA system with a new distributed cryptosystem are already underway and incubating at the Apache Foundation. It won’t be long before certificate authorities are consigned to the history books.”