hello@mojoe.net

1-864-859-9848

  • Follow
  • Follow
  • Follow
Mojoe.net a Web Design, company in Greenville SC
  • Services
    • Design
    • Development
    • Marketing
    • Managed Services
  • Work
    • Web Design and Development
    • Software Design and Development
    • Mobile Application
    • Graphic Design
  • About
  • Partners
  • FAQ
  • News
  • Contact
    • Google Reviews

SSL Certificate Misissuance Caused by Software Bugs

by Mojoe.net | Oct 14, 2019 | Cybersecurity, Mojoe.Net, News, SSL Certificates, Website

SSL Certificates, Websites, Web Design, Web Development, Mojoe.net, Greenville South Carolina

Software bugs and misinterpretations of industry standards are at the heart of most cases of incorrectly-issued SSL certificates — accounting for 42% of all incidents –, a recent academic study has discovered.

The research, authored by a team from the School of Informatics and Computing at Indiana University Bloomington, looked at 379 instances of misissued SSL certificates — from a total of over 1,300 known incidents.

Academics gathered incident data from public sources such as Mozilla’s Bugzilla tracker and the Google Groups discussion forums for the Firefox and Chrome browser security teams.

The purpose of this research was to look at how Certificate Authorities (CAs) adhered to industry standards, and what is the most common cause behind misissued SSL certificates .

CAs are organizations that sell or provide free SSL certificates. These SSL certificates are then used to encrypt communications between clients and servers in the form of HTTPS connections.

CA activity is governed by the CA/B Forum, an industry group made up of browser and OS makers, and the CAs themselves.

The CA/B Forum publishes and updates industry guidelines that dictate the correct way to issue SSL certificates.

Over the years, CAs have had multiple missteps where they issued certificates without adhering to these rules. There have been cases where CAs have issued SSL certificates that have been used to perform man-in-the-middle (MitM) attacks and intercept HTTPS traffic; have been used for malware operations; or CAs issued certificates without following standard procedures — because of human errors, accident, or to cut costs and increase profits.

CAs have also been observed backdating SSL certificates to avoid deprecation timelines; issuing SSL certificates without verifying that the buyer is a legitimate person/company; or issued SSL certificates that have used weak or non-compliant algorithms.

ca-research-causes.png
Image: Serrano et al.

But according to the team at Indiana University Bloomington, most of the incidents of incorrectly-issued SSL certificates had been caused by software bugs.

Of the 379 cases they analyzed, 91 (24%) had been caused by software bugs in one of the CA’s software platform, resulting in customers receiving non-compliant SSL certificates.

The second most common cause was the CAs misinterpreting CA/B Forum rules, or the CAs being unaware that a rule had changed. This accounted for 69 cases or 18% of all incidents of misissued SSL certificates.

The first case of a malevolent root cause for SSL misissuance ranked only third. Academics said that in 52 cases of misissued SSL certificates — or 14% of all analyzed incidents — CAs intentionally put profits over compliance and industry rules.

“Examples of these are backdating SHA-1 certificates in order to evade its prohibition, charging for the revocation of compromised digital certificates, selling certificates for Man-in-the-Middle (MITM) attempts, and the potential (or actual) issuance of rogue certificates,” researchers said. “It goes without saying that this category presented the most alarming incidents with regarding CAs’ misbehaviors or lack of ethics.”

The fourth most common cause was human error, with 37 cases (10% of the total).

Fifth ranked operational errors, where the mistake was in a CA’s faulty internal procedures, rather than software or human error. This accounted for 29 cases or 8% of all cases.

The sixth root cause was “non-optimum request check,” a term that described errors made in checking the identity of a customer, which usually allows a rogue customer to impersonate another entity — for example, a malware author getting an SSL certificate for a legitimate company. Researchers found 24 such incidents, accounting for 6% of all SSL misissuance incidents.

The seventh most common root cause for misissued SSL certificates is “improper security controls,” a generic category that included all cases of CAs getting hacked or losing control of their infrastructure to allow a third-party to obtain SSL certificates.

Other root causes for SSL misissuance included change in Baseline Requirements [BR] (when CAs lagged in applying a CA/B Forum rule change); infrastructure problems (when CAs had unavailable servers, defective networks, or problems in the hardware, but they still issued a certificate); and organizational constraints (when CAs operated under strict national/government rules that were incompatible with CA/B Forum rules).

Based on the data researchers compiled, the top most problematic CAs included the likes of StartCom, WoSign, DigiCert, PROCERT, Comodo (now Sectigo), Quo Vadis, VISA, GoDaddy, Certum, Camerfirma, and SwissSign.

ca-research.png
Image: Serrano et al.

Researchers also said that “the ten Root CAs with most incidents related to them hoarded almost half of these incidents,” revealing that a few bad apples were at the heart of most of the issues in the CA landscape.

They suggested that these entities “should be severely penalized in order to deter them, since we found that it is a pervasive behavior in the CAs.”

This article only summarized the researchers’ work. For a more in-depth look, please refer to the research team’s 45-page white paper, entitled “A Complete Study of P.K.I. (PKI’s Known Incidents).”

Article Provided By: ZDNet

Web Design, Web Development, Web Graphics, Website Designer, Developer, Development, Greenville, SC, SEO
If you would like to discuss Your SSL Certificate Needs with Mojoe.net or your website’s analytics, custom logo designs, social media, website, web application, need custom programming, or IT consultant, please do not hesitate to call us at 864-859-9848 or you can email us at dwerne@mojoe.net.

Recent Posts

  • Cybersecurity and Why its Important
  • How to Submit a Website on a Search Engine
  • Developing your Website
  • SSL and Why you need one
  • Google Ad Word helpful info

Recent Comments

    Archives

    • May 2022
    • April 2022
    • March 2022
    • February 2022
    • January 2022
    • December 2021
    • November 2021
    • October 2021
    • September 2021
    • August 2021
    • July 2021
    • June 2021
    • May 2021
    • April 2021
    • March 2021
    • February 2021
    • January 2021
    • December 2020
    • November 2020
    • October 2020
    • September 2020
    • August 2020
    • July 2020
    • June 2020
    • May 2020
    • January 2020
    • December 2019
    • November 2019
    • October 2019
    • September 2019
    • August 2019
    • July 2019
    • February 2019
    • March 2016
    • January 2016
    • December 2015
    • October 2015
    • September 2015
    • August 2015
    • July 2015
    • June 2015
    • May 2015
    • April 2015
    • March 2015
    • February 2015
    • January 2015
    • October 2014
    • July 2014
    • April 2014
    • February 2014
    • January 2014
    • December 2013
    • November 2013
    • October 2013
    • September 2013
    • August 2013
    • July 2013
    • June 2013
    • April 2013
    • March 2013
    • January 2013
    • December 2012
    • November 2012
    • October 2012
    • September 2012
    • August 2012
    • June 2012
    • May 2012
    • April 2012
    • March 2012
    • February 2012
    • January 2012
    • December 2011
    • November 2011
    • October 2011
    • August 2011
    • July 2011
    • June 2011
    • May 2011
    • April 2011
    • March 2011
    • February 2011
    • December 2010
    • November 2010
    • October 2010
    • August 2010
    • July 2010
    • April 2010
    • June 2009
    • April 2009

    Categories

    • App Development
    • Blog
    • Branding
    • Cloud Storage
    • Computer Programming
    • Cybersecurity
    • Design
    • Development
    • Email Hosting
    • Google Services
    • Google Services
    • Graphic Design
    • Hosting
    • IT Consultant
    • Logo Design
    • Marketing
    • Mojoe.Net
    • News
    • SEO
    • Social Media
    • Software Development
    • SSL Certificates
    • Uncategorized
    • URL/Domain
    • Web Design
    • Web Development
    • Web Hosting
    • Website

    Meta

    • Log in
    • Entries feed
    • Comments feed
    • WordPress.org

    Latest News

    Cybersecurity and Why its Important

    Cybersecurity is important because it protects all categories of data from theft and damage. This includes sensitive data, personally identifiable information (PII), protected health information (PHI), personal information, intellectual property, data, and...

    How to Submit a Website on a Search Engine

    Approximately two-thirds of all internet searches worldwide are made through the market leader, Google. With billions of daily visitors, the search engine giant has evolved into the central interface of the World Wide Web. For those running professional internet...

    Developing your Website

    As if it needs to be said anymore, getting a website for your business should be the NUMBER ONE priority as of right now. Your website is your fort, your flagpole, your bedrock. Without one, you’re either limiting your reach or leveraging a third-party platform that...

    SSL and Why you need one

    You might be wondering why you would need an SSL or even what an SSL is, well an SSL is a digital certificate that authenticates a web site's identity and enables an encrypted connection. Otherwise making it secure. It puts that s in HTTPS. Now, you're probably...

    Google Ad Word helpful info

    A basic Google Ad Words campaign is not the only SEO strategy that can be used to generate new business. In many cases, one or more of your Google Ad Words campaigns may not be producing the kind of results you need to see industry growth, development, and success. So...

    Case Study

    864.859.9848

    Email us at hello@mojoe.net today!

    MOJOE.NET
    60 Directors Dr
    Greenville, SC 29615

    • Follow
    • Follow
    • Follow

    Creativity & Exploration

    Web Design

    Graphic Design

    Responsive Design

    Video Production

    Video Drone

    Photography

    Media Kit & Brochure Creation

    Copywriting & Copyediting

    Knowledge & Experience

    Middleware

    Node JS

    Database Development

    Consulting

    Mobile App Development

    Web Applications

    Application Development

    Web Development

    Writing Code

    Custom Programming

    Execution & Stability

    Social Media Management

    Search Engine Optimization

    Managed Services

    Social Ads

    Google Adwords

    Google Analytics

    IT Services

    Cloud Services

    Search Engine Registration

    Web & Email Hosting

     

    Copyright © 2021 MOJOE.NET All Rights Reserved Terms of use Privacy Policy