Bogus SSL Certificates

Bruce Morton

Netcraft has published an article stating they have found many bogus SSL certificates. In this case, a bogus certificate is self-signed (i.e., not issued from a legitimate certification authority) and replicates an SSL certificate of a large, popular website.

This type of bogus SSL certificate could be used for a man-in-the-middle (MITM) attack. In this scenario, the attacker needs to gain a position that will allow them to intercept traffic and make you to go to their site instead of the real site. This is more likely for public Wi-Fi networks that allow connectivity in airports, cafes and hotels.

Self-signed certificates are not a threat to desktop browsers as they provide a trust dialogue when the certificate is not associated with a trusted root certificate that is embedded in the operating system or browser. The mobile browsers will work in the same way.

There is speculation that the issue is with applications on mobile devices. The Netcraft report references there are studies that show that about 40 percent of these applications do not check the status of the certificates. First, for many application developers, this is arguably legitimate. The application developer wants the app to connect to their service. They are in control of the app and their service, so a self-signed certificate may work in this scenario.

On the other hand, the app might use other services such as PayPal for billing. In this case, the app should verify the certificate properly. This is still a hard attack to pursue. How will the attacker know which bad application you are using and when?

So, what needs to be done?

  • Browsers can to continue to check the validity of the certificates and present their trust dialogues.
  • Mobile operating system vendors need to check the quality of their applications and only accept those that authenticate certificates properly.
  • Application vendors should take the time to check the validity of the certificates. Also implement public key pinning. Some of the most popular applications (e.g., Twitter, Facebook and Google) use public key pinning, which rejects connections to site with bogus certificates.
Bruce Morton
Bruce Morton
Director, Certificate Technology & Standards

Bruce Morton has worked in the public key infrastructure and digital certificate industry for more than 15 years and has focused on SSL and other publicly trusted certificates since 2005. He has been an active member of the CA/Browser Forum that released guidelines for extended validation (EV) certificates and Baseline Requirements for SSL certificates. Bruce oversees the governance and compliance of Entrust’s publicly trusted PKI.

1 Comment

Add to the Conversation