Visiting a website certified with an SSL certificate doesn’t mean that the website is not bogus. Secure Sockets Layer (SSL) protect the web users in two ways, it uses public key encryption to encrypt sensitive information between a user’s computer and a website, such as usernames, passwords, or credit card numbers and also verify the identity of websites. Today hackers and cyber criminals are using every tantrum to steal users’ credentials and other sensitive data by injecting fake SSL certificates to the bogus websites impersonating Social media, e-commerce, and financial websites as well.
DETECTING FAKE DIGITAL CERTIFICATES WIDELYA Group of researchers, Lin-Shung Huang , Alex Ricey , Erling Ellingseny and Collin Jackson, from the Carnegie Mellon University in collaboration with Facebook have analyzed [PDF] more than 3 million SSL connections and found strong evidence that at least 6;845 (0:2%) of them were in fact tampered with forged certi?cates i.e. self-signed digital certificates that aren’t authorized by the legitimate website owners, but will be accepted as valid by most browsers. They utilized the widely-supported Flash Player plug-in to enable socket functionality and implemented a partial SSL handshake on our own to capture forged certi?cates and deployed this detection mechanism on an Alexa top 10 website, Facebook, which terminates connections through a diverse set of network operators across the world. Generally Modern web browsers display a warning message when encountering errors during SSL certi?cate validation, but warning page still allows users to proceed over a potentially insecure connection. Full Article
Fake Digital Certificates Found in the Wild While Observing Facebook SSL Connections
+52
The following article is a update on Fake Digital Certificates
By Eduard Kovacs on July 09, 2014 Rogue digital certificates issued in India for several Google domains were identified and blocked last week, Google representatives said Tuesday.
According to Google Security Engineer Adam Langley, the unauthorized certificates were issue by India's National Informatics Center (NIC), which holds several intermediate Certification Authority (CA) certificates trusted by the Indian Controller of Certifying Authorities (India CCA).
Google said that it has notified NIC, India CCA and Microsoft and has taken steps to make sure the fake certificates are not misused. There's no evidence of widespread abuse and Google is not asking users to change their passwords, but the company has rolled out CRLSet updates to block the certificates.
Full Articles/ http://www.securityweek.com/fake-google-digital-certificates-issued-indian-organization
By Eduard Kovacs on July 09, 2014 Rogue digital certificates issued in India for several Google domains were identified and blocked last week, Google representatives said Tuesday.
According to Google Security Engineer Adam Langley, the unauthorized certificates were issue by India's National Informatics Center (NIC), which holds several intermediate Certification Authority (CA) certificates trusted by the Indian Controller of Certifying Authorities (India CCA).
Google said that it has notified NIC, India CCA and Microsoft and has taken steps to make sure the fake certificates are not misused. There's no evidence of widespread abuse and Google is not asking users to change their passwords, but the company has rolled out CRLSet updates to block the certificates.
Full Articles/ http://www.securityweek.com/fake-google-digital-certificates-issued-indian-organization
Reply
Login to the community
No account yet? Create an account
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.