In CNNIC's case, they gave their private key to a third party that issued the fake certificate. Occasionally CAs violate the WebTrust requirements: the Chinese government (CNNIC) and Symantec both recently issued fake certificates for. However they all require certificate authorities to pass WebTrust for Certification Authorities, an audited assurance process for the policies and procedures for verifying identity, issuing certificates, handling keys, and more. When you visit a website, the website presents a certificate that's signed by another certificate, which is signed by another certificate, until you reach one of the certificates in the store you're using.Įach certificate store has its own requirements for a certificate authority to get added. The major root certificate stores are Apple, Microsoft, Mozilla, and Android. Which bunch of certificate authorities - properly called a 'root certificate store' - is determined by your OS and browser: The browser you're using right now trusts a bunch of certificate authorities. How do you know who you trust? And how do you control it? There's also CAs who don't properly handle their keys, like China's CNNIC. Anyone could use that to impersonate any website they wanted to affected users. In both cases, a root level SSL CA - whose private key is normally kept in an offline tamper resistent vault in an secured datacenter - was created with the private key available on desktop computers worldwide. First it was Superfish, then it was Dell's eDellRoot.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |