Why Every Company Needs to Watch Out for Fake SSL Certificates

Search giant Google detected several fake secure socket layer (SSL) certificates in December, prompting speedy revocation of permissions along with a public announcement. According to CSO, this turned out to be an accidental misuse, but the incident raises an important question: If Google can be fooled, how safe is your business?

SSL and Certification: Better Together

To ensure data security online, companies rely on two essential technologies. First is the secure socket layer (SSL) encryption protocol. Asymmetrical encryption is the most popular form of SSL encryption and uses two keys, one public and one private. The public key encrypts data, but only the corresponding private key will decode this information; not even the original public key has this ability.

So why the need for certificates?

When a company accesses a website that looks legitimate, and the site requests a copy of the sender’s private key, the recipient can actually be a spoofed site set up by a hacker. To protect against this kind of identity fraud, certificates were developed. These are digital documents “signed” by registered certificate authorities (CAs), which verify the identity of a web site or a server. Together, SSL encryption and digital certificates provide a high degree of protection.

Getting to the Root of the CA Vulnerability

CAs receive permission from large companies, such as Google or Microsoft, to create certificates; for example, many web-hosting providers also offer CA services. Businesses then contact a CA for signed certificates to verify their websites. CAs will ask for proof that a company or website is legitimate and then, if satisfied, digitally sign their certificate.

Most web browsers come with a list of recognized root CAs and will warn users if an unfamiliar certificate is detected. Root CAs use a public and a private master key to sign all certificates in their “tree”; some are issued directly and others are farmed out to trusted third-party companies. If a provider issues bad certificates, trust will be revoked, effectively putting them out of business.

Unfortunately, no method is perfect. In December, Google detected an unauthorized certificate attached to Google.com. In turn, the company revoked its trust in the intermediate CA and traced the cert back to the Agence Nationale de la Sécurité des Systems d’Information (ANSSI), which not only is a root CA but also is responsible for the protection of French government networks.

The certificate used in the recent debacle was signed in error and had no malicious intent, but as Google security engineer Adam Langley noted on the company’s security blog, “Intermediate CA certificates carry the full authority of the CA, so anyone who has one can use it to create a certificate for any website they wish to impersonate.”

Tracking Down Counterfeit Certificates

So how do malicious certificates get deployed? There are several methods. One common way is through self-signed certificates that users choose to accept, despite being warned not to by pop-up warnings. Virus protection programs will detect these self-signed certs, and popular Internet browsers like Chrome, Internet Explorer and Firefox all include tools for discovering who signed a certificate.

It’s also possible for hackers to create a proxy server to intercept legitimate certificate traffic, handle the real SSL connection and then send users a hard-to-detect imitation certificate. According to ZDnet, such a proxy server could be used to compromise an entire tier-one Internet Service Provider (ISP).

To ensure that fake certificates don’t slip through company defenses, businesses must regularly update Internet browsers to obtain current SSL certificate lists. In addition, a robust firewall is recommended — many reputable security providers offer firewalls, which can deep-scan SSL encrypted traffic to sniff out fake certificates or malicious code.

How do you avoid Google’s misstep? By recognizing that SSL certificates, although they provide a high level of protection against data theft and misuse, aren’t foolproof. Company oversight and automatic detection are essential components for secure data transmission.

[image: Federico Caputo/iStock/ThinkStockPhotos]