Unauthorized SSL certificates put everyone at risk
Google warns of unauthorized TLS certificates trusted by almost all OSes Ars Technica
“In the latest security lapse involving the Internet's widely used encryption system, Google said unauthorized digital certificates have been issued for several of its domains and warned misissued credentials may be impersonating other unnamed sites as well."
The existing SSL certificate authority structure is fatally flawed. Its integrity relies on a huge number of primary and secondary certificate authorities to follow the rules and only issue certificates to the valid owners of websites. Of course many of these certificate authorities are in places where they can be pressured or forced to issue certificates to other entities for other purposes, like surveillance.
In February we saw SuperFish installing it’s own certificate on every computer where it was installed.
In January we saw Gogo Inflight simply self signing certificates, generating errors which were widely ignored.
In July 2014 an Indian certificate authority was caught creating fake certificates for Google services.
In April 2013 Firefox black listed a certificate authority for this kind of thing.
Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook, Twitter, and Google+.