• Home
  • About
  • Services
    • Branding
    • Development
    • SEO
    • API Solutions Greenville SC
    • Web Applications
    • Mobile Apps
    • E-Commerce
    • Web Design
    • Power BI
    • SharePoint
  • Clients
  • Our Work
    • Rover – Case Study
    • Streamline
    • Century Printing
    • Big Gun Robotics
  • Our Partners
    • BigCommerce
    • Shopify
  • Our Blog
  • Contact
  • Follow
  • Follow
  • Follow

SSL Certificate Misissuance Caused by Software Bugs

by Mojoe.net | Oct 14, 2019 | Cybersecurity, Mojoe.Net, News, SSL Certificates, Website

SSL Certificates, Websites, Web Design, Web Development, Mojoe.net, Greenville South Carolina

Software bugs and misinterpretations of industry standards are at the heart of most cases of incorrectly-issued SSL certificates — accounting for 42% of all incidents –, a recent academic study has discovered.

The research, authored by a team from the School of Informatics and Computing at Indiana University Bloomington, looked at 379 instances of misissued SSL certificates — from a total of over 1,300 known incidents.

Academics gathered incident data from public sources such as Mozilla’s Bugzilla tracker and the Google Groups discussion forums for the Firefox and Chrome browser security teams.

The purpose of this research was to look at how Certificate Authorities (CAs) adhered to industry standards, and what is the most common cause behind misissued SSL certificates .

CAs are organizations that sell or provide free SSL certificates. These SSL certificates are then used to encrypt communications between clients and servers in the form of HTTPS connections.

CA activity is governed by the CA/B Forum, an industry group made up of browser and OS makers, and the CAs themselves.

The CA/B Forum publishes and updates industry guidelines that dictate the correct way to issue SSL certificates.

Over the years, CAs have had multiple missteps where they issued certificates without adhering to these rules. There have been cases where CAs have issued SSL certificates that have been used to perform man-in-the-middle (MitM) attacks and intercept HTTPS traffic; have been used for malware operations; or CAs issued certificates without following standard procedures — because of human errors, accident, or to cut costs and increase profits.

CAs have also been observed backdating SSL certificates to avoid deprecation timelines; issuing SSL certificates without verifying that the buyer is a legitimate person/company; or issued SSL certificates that have used weak or non-compliant algorithms.

ca-research-causes.png
Image: Serrano et al.

But according to the team at Indiana University Bloomington, most of the incidents of incorrectly-issued SSL certificates had been caused by software bugs.

Of the 379 cases they analyzed, 91 (24%) had been caused by software bugs in one of the CA’s software platform, resulting in customers receiving non-compliant SSL certificates.

The second most common cause was the CAs misinterpreting CA/B Forum rules, or the CAs being unaware that a rule had changed. This accounted for 69 cases or 18% of all incidents of misissued SSL certificates.

The first case of a malevolent root cause for SSL misissuance ranked only third. Academics said that in 52 cases of misissued SSL certificates — or 14% of all analyzed incidents — CAs intentionally put profits over compliance and industry rules.

“Examples of these are backdating SHA-1 certificates in order to evade its prohibition, charging for the revocation of compromised digital certificates, selling certificates for Man-in-the-Middle (MITM) attempts, and the potential (or actual) issuance of rogue certificates,” researchers said. “It goes without saying that this category presented the most alarming incidents with regarding CAs’ misbehaviors or lack of ethics.”

The fourth most common cause was human error, with 37 cases (10% of the total).

Fifth ranked operational errors, where the mistake was in a CA’s faulty internal procedures, rather than software or human error. This accounted for 29 cases or 8% of all cases.

The sixth root cause was “non-optimum request check,” a term that described errors made in checking the identity of a customer, which usually allows a rogue customer to impersonate another entity — for example, a malware author getting an SSL certificate for a legitimate company. Researchers found 24 such incidents, accounting for 6% of all SSL misissuance incidents.

The seventh most common root cause for misissued SSL certificates is “improper security controls,” a generic category that included all cases of CAs getting hacked or losing control of their infrastructure to allow a third-party to obtain SSL certificates.

Other root causes for SSL misissuance included change in Baseline Requirements [BR] (when CAs lagged in applying a CA/B Forum rule change); infrastructure problems (when CAs had unavailable servers, defective networks, or problems in the hardware, but they still issued a certificate); and organizational constraints (when CAs operated under strict national/government rules that were incompatible with CA/B Forum rules).

Based on the data researchers compiled, the top most problematic CAs included the likes of StartCom, WoSign, DigiCert, PROCERT, Comodo (now Sectigo), Quo Vadis, VISA, GoDaddy, Certum, Camerfirma, and SwissSign.

ca-research.png
Image: Serrano et al.

Researchers also said that “the ten Root CAs with most incidents related to them hoarded almost half of these incidents,” revealing that a few bad apples were at the heart of most of the issues in the CA landscape.

They suggested that these entities “should be severely penalized in order to deter them, since we found that it is a pervasive behavior in the CAs.”

This article only summarized the researchers’ work. For a more in-depth look, please refer to the research team’s 45-page white paper, entitled “A Complete Study of P.K.I. (PKI’s Known Incidents).”

Article Provided By: ZDNet

Web Design, Web Development, Web Graphics, Website Designer, Developer, Development, Greenville, SC, SEO
If you would like to discuss Your SSL Certificate Needs with Mojoe.net or your website’s analytics, custom logo designs, social media, website, web application, need custom programming, or IT consultant, please do not hesitate to call us at 864-859-9848 or you can email us at dwerne@mojoe.net.

Recent Posts

  • Enhancing User Experience with Web Applications
  • Web Developer Alex Werne
  • Custom Software Development Solutions for Business
  • Dark Mode Benefits and Implementation Tips
  • Top 5 Benefits of Professional Web Development Services

Recent Comments

    Archives

    • May 2025
    • April 2025
    • March 2025
    • October 2024
    • September 2024
    • August 2024
    • December 2023
    • November 2023
    • October 2023
    • July 2023
    • May 2023
    • March 2023
    • February 2023
    • January 2023
    • December 2022
    • November 2022
    • October 2022
    • September 2022
    • August 2022
    • July 2022
    • June 2022
    • May 2022
    • April 2022
    • March 2022
    • February 2022
    • January 2022
    • December 2021
    • November 2021
    • October 2021
    • September 2021
    • August 2021
    • July 2021
    • June 2021
    • May 2021
    • April 2021
    • March 2021
    • February 2021
    • January 2021
    • December 2020
    • November 2020
    • October 2020
    • September 2020
    • August 2020
    • July 2020
    • June 2020
    • May 2020
    • January 2020
    • December 2019
    • November 2019
    • October 2019
    • September 2019
    • August 2019
    • July 2019
    • February 2019
    • March 2016
    • January 2016
    • December 2015
    • October 2015
    • September 2015
    • August 2015
    • July 2015
    • June 2015
    • May 2015
    • April 2015
    • March 2015
    • February 2015
    • January 2015
    • October 2014
    • July 2014
    • April 2014
    • February 2014
    • January 2014
    • December 2013
    • November 2013
    • October 2013
    • September 2013
    • August 2013
    • July 2013
    • June 2013
    • April 2013
    • March 2013
    • January 2013
    • December 2012
    • November 2012
    • October 2012
    • September 2012
    • August 2012
    • June 2012
    • May 2012
    • April 2012
    • March 2012
    • February 2012
    • January 2012
    • December 2011
    • November 2011
    • October 2011
    • August 2011
    • July 2011
    • June 2011
    • May 2011
    • April 2011
    • March 2011
    • February 2011
    • December 2010
    • November 2010
    • October 2010
    • August 2010
    • July 2010
    • April 2010
    • June 2009
    • April 2009

    Categories

    • AI Development
    • App Development
    • Blog
    • Branding
    • Cloud Storage
    • CMS Content Management Systems
    • Computer Programming
    • Cybersecurity
    • Design
    • Development
    • Ecommerce
    • Email Hosting
    • Google Services
    • Google Services
    • Graphic Design
    • Hosting
    • IT Consultant
    • Laravel
    • Logo Design
    • Marketing
    • Mojoe.Net
    • News
    • Power BI
    • SEO
    • SharePoint
    • Social Media
    • Software Development
    • SSL Certificates
    • team members
    • Uncategorized
    • URL/Domain
    • Web Design
    • Web Development
    • Web Hosting
    • Website
    • WordPress

    Meta

    • Log in
    • Entries feed
    • Comments feed
    • WordPress.org
    Mojoe M a web design and development company located in Greenville SC

    Ready to get started? Contact us today!

    Start Today

    Terms  |  Privacy

    © 2023 MOJOE. All Rights Reserved. Powered by Mojoe.
    • Follow
    • Follow
    • Follow

    60 Directors Dr, Greenville SC 29615

    Phone: (864)-991-5656

    Email: info@mojoe.net