NZ$ 0.00
Customer Panel
Are intermediate certification authority certificates targets for man-in-the-middle attacks?
15-01-2014 12:14:39
As many of you may know Google recently detected a TLS/SSL certificate that was created by the Ministry of France and used as “a commercial device, on a private network, to inspect encrypted traffic with the knowledge of the end users.” In general there is no application on the public internet that would require such a certificate and the use of this type of intermediate certificate does create many security related problems such as “internet traffic routing, domain name resolution and the possibility of an unconstrained trusted intermediate CA certificate.”
That being said, there are still legitimate reasons why an enterprise, organization or government would need such a certificate. For example, in the financial market regulatory rules require that brokers have all of their communications recorded in order to oversee and regulate their activity. In this case the TLS/SSL certificate is providing a level of encryption to users within the portal but at the same time making such information available for oversight. However instead of using a publically trusted Root CA and misusing the certificate, the enterprise, organization or government should use a privately trusted CA that is trusted only within the defined scope of that portal.
You may be wondering that if it is easy enough to acquire a TLS/SSL certificate could hackers easily attain an unconstrained trusted intermediate CA certificate? The answer is no because of the standards and rules put into place by the CA/B baseline requirements. The CA/B requires that a TLS/SSL certificate can only be issued after there is confirmation from the domain owner.
Depending on the type of SSL certificate, confirmation is made by either responding to an email sent to the registered email address of the domain (DV certificates) or (for the more advanced validated certificates OV SSL Certificates & EV SSL Certificates) by not only contacting the domain owner by email/phone but by also requiring them to submit formal documents to prove the existence of their organization.
In closing SSL certificates are a cornerstone of internet and are sometimes required but should always be used for websites that transfer or have the potential to transfer personal data including but not limited to: User-names, passwords, SSN, Debit/Credit Cards, Pin #, Forms, Online Conversations, VOIP, Gateways, Portals, VPNs Etc. SSL does have vulnerabilities and most stem from the element of human error, which is why network administrators should ALWAYS properly store their private keys in a secure environment to avoid the potential of a data breach.
Source: SSLGURU.com
foto by openDemocracy via Flickr.com
foto by openDemocracy via Flickr.com
Recent Posts
Comodo is now Sectigo
09-11-2018 12:54:30
According to previous announcements, a year after the acquisition of Comodo Group by Francisco Partners, on November 1 Comodo CA announced that from now on it is changing its brand to Sectigo [pronounced. sec-tee-go]. The goal of rebranding is consistency in company communication and better dedication to what Comodo is doing now.
European Cyber Security Month 2018
27-09-2018 10:46:21
The European Union Agency for Network and Information Security (ENISA), which is the center of knowledge about cyber security in Europe, organizes as every year in October the European Cyber Security Month. The campaign is starting in a few days. What is its purpose and how can you participate in it?
GDPR and SSL certificate. Is encryption necessary for compliance with the GDPR?
18-05-2018 15:47:40
General Data Protection Regulation (GDPR) is a 99-article regulation meant to protect the private data of Europeans in IT systems. Announced in 2016, covers a broad variety of topics and will go into effect as a requirement on May 25, 2018. GDPR applies to any company doing business in Europe even if it is located elsewhere.
