Rogue SSL certificates
It seems like the only stories that make the headlines are the ones with the most chilling titles. Unless you were looking, you may never have even know about Rogue SSL certificates making their way into the wild.
The story goes like this: Certificate vendor Comodo issued SSL certificates for popular domains to end users/companies that didn’t actually control those domains. The whole concept of SSL certificates is based on trust, where everything leads back to a trusted authority to validate that the recipient of the certificates is actually who they say they are. If that’s broken, lots of bad things can happen.
What this means is that someone who wasn’t Google was able to obtain a certificate for mail.google.com. If they put up this certificate and somehow hijacked your browser to go to their site, thinking it was the real mail.google.com, you would never have known because the browser would not have put up a warning. That is, you would have been talking to the other end thinking it was Google, even though it wasn’t, and would have not had any good way of knowing.
This is scary. Since certificates were designed to validate that the end party is who they claim to be, the whole mechanism relies on the certificate vendor (or certificate “authority” as it’s called) to ensure that certificates only go to those who are valid.
From the article:
What can you do with such a certificate?
Well, if you are a government and able to control Internet routing within your country, you can reroute all, say, Skype users to fake https://login.skype.com and collect their usernames and passwords, regardless of the SSL encryption seemingly in place. Or you can read their e-mail when they go to Yahoo, Gmail or Hotmail. Even most geeks wouldn’t notice this was going on.
It’s clear that methods of attack like this are the way things are heading in the cyber world. Vigilence is a must.