You are here:  Home > Certificates > Review Safety > Notable Breaches Last updated 30 Dec 2012   

Notable Security Breaches

The following notable breaches of Certificate Authority (CA) security have happened since 2001:

  • Verisign issues two certificates to someone posing as Microsoft in 2001.
  • The Electronic Frontier Foundation (EFF) writes an open letter to Verizon in 2010 about a compromise to the security of about 100,000 Blackberry PDA's (personal digital assistants).
  • One of Comodo's Registration Authorities (RA's) issues nine certificates in March 2011 to someone posing as various organizations including Google, Microsoft and Yahoo. A short overview, with comments, of how this situation arose can be found here.
  • The same Comodo hacker says he has done the same thing to another Certificate Authority and two more Comodo partners in March 2011.
  • DigiNotar (a Dutch Certificate Authority) issues SSL wildcard certificates (September 2011) for *.google.com, *.torproject.org and *.*.com. Current practice is to use the Subject Alternative Name of the certificate to specify specific DNS domain names. So a certificate issued for www.somedomain.com and www.somedomain.net would have separate DNS items in the Subject Alternative Name of the certificate. The DigiNotar Certificate Authority is commonly found on Android phones.
  • Trustwave issues a Man-in-the-Middle certificate (February 2012) allowing SSL connections to be compromised.
The Verisign and Comodo certificates have been revoked, but the mechanism for revocation is apparently insufficient to ensure PC security, so you will find these certificates placed permanently in various certificate stores on your PC. There is the Windows certificate store that the operating system (and most Windows based software) uses and then there is the Mozilla store that Firefox uses. The interests of PC security are probably best served by only having a single store for certificates otherwise fixing a potential security breach in one might still leave another one compromised.

The Comodo hacker apparently used some very well known, but preventable, techniques to gain access to the server accounts and get the certificates issued, so it appears that these servers were not kept up-to-date with security patches. To get an overview of the anarchic state of how certificates are issued, see 650 Organizations.

AllIncontext Limited is registered in England, No 04624520. Registered office address: 12-14 High Street, Petersfield, Hampshire, GU32 3JG.

Valid XHTML 1.0 Strict   Valid CSS!