How to Protect Yourself From Certificate Bandits

There have been two major Certificate Authority attacks this year--and the hackers are wielding fake certificates

There have been two major Certificate Authority (CA) attacks this year. In March, a hacker successfully penetrated one of the largest CA's on the Web--Comodo--and managed to issue bogus certificates to himself (including one for Yahoo). The second incident took place this week when a Dutch CA, Diginotar, was compromised and a number of fake certificates were issued.

So how does a Certificate Authority attack work? Certificate bandits break into companies--such as Comodo and Diginotar--that issue digital credentials that your browser uses to verify a website's identity. This credential tells your browser that the site can be "trusted," i.e. that it's not dangerous. Certificate bandits, however, can undermine this entire process by issuing fake certificates to themselves that allow them to masquerade as "safe" sites, such as Google, Mozilla, Skype, and AOL.

Here are four ways you can protect yourself from hackers wielding fraudulent certificates.

1. Keep your browser up to date.

Browser makers are quick to react to news of CA hacks, and block them by pushing out fixes to their products. Though some browsers do this with automatic updates, others require manual updating. Know how your browser updates itself (or, doesn't) and make sure you're running the latest version of the program. The faster your browser is updated, the faster hackers will be thwarted.

2. Enable certificate revocation in your browser.

In some browsers, certificate revocation or certificate status checking is turned off by default. If this is the case, turn it on. When a CA detects a problem certificate, it will revoke the credential. The only way your browser can determine if a certificate has been revoked--and warn you about it--is if the status checker is activated.

3. Customize the root certificates in your browser.

Most browsers include a number of "root certificates" in them by default. Such credentials act as blanket permissions to accept all the certificates from a CA. For example, in the recent DigiNotar case, a root certificate for that CA installed on a browser would allow any certificates issued by the CA to be automatically trusted--even fake ones. Recognizing that, the major browser makers--Microsoft, Mozilla and Google--swiftly removed the DigiNotar root certificate from their products. In some browsers, you can manually disable root certificates, although this may push your technological savvy and patience. There can be more than 100 roots in a browser and editing the trust settings in each one can be very time consuming.

4. Always look for the green bar inside your browser's address bar.

That's a sign that the certificate for the URL in the address bar has been subjected to an "extended validation" process. Not all websites have them, but many high-profile sites do. "That's your assurance that the certificate holder has gone through a very rigorous, documented process of authentication and vetting," Symantec Technical Director Rick Andrews explained to PC World. "By definition EV certs can't be instantly issued. They have to be vetted by humans."

Follow freelance technology writer John P. Mello Jr. and Today@PCWorld on Twitter.

Join the CSO newsletter!

Error: Please check your email address.

Tags online securityYahooGooglesecuritymozilla

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John P. Mello Jr.

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts