The Dangers of Unauthorised Digital Certificates
Digital certificates work by encrypting Internet data to keep sensitive information from prying eyes, and for the most part, these certificates are issued and signed by established and reputable certificate authorities such as DigiCert. But there are unauthorised digital certificates being peddled by shady vendors claiming to be cyber security firms, and websites that use these fraudulent certificates run huge risks in having their user data stolen from under their noses.
In one very recent case, several of Google’s domains fell victim to just such unauthorised digital certificates. Up until they were discovered to be bogus by Google on 20 March 2015, the certificates were recognised by all major operating systems and browsers, and the incident raised the issue of safe web browsing amongst companies and users alike, even on reputable websites carrying Secure Socket Layer (SSL) certificates.
What are unauthorised digital certificates?
Based on the Man-in-the-Middle (MITM) cyber-attack method, unauthorised digital certificates are engineered to allow malicious parties to decrypt and monitor network communications without triggering any warnings.
Hackers may also use unauthorised digital certificates to covertly gain control of a network through fraudulent proxies and phishing websites that users might believe to be trustworthy. The fake websites may also infect devices with malicious code or content, and install keyloggers or backdoor code without fear of detection.
The personal data gathered from MITM attacks may then be used to impersonate victims to access vital information such as bank accounts and credit card information, or even commit fraud, causing damage to the victim’s name and financial reputation.
Tell-tale Signs of Unauthorised Digital Certificate
To prevent sensitive data from being compromised, both site owners and users alike need to learn to differentiate between authorised and unauthorised certificates, and the signs to look out for are simple, though subtle.
Visual cues are the easiest way to differentiate fraudulently signed certificates. For starters, users can see their address bar shaded green with green padlocks, “https://” suffix as well as the site owner’s company name and organisation information in the certificate details.
Unauthorised certificates may not display the mentioned visual cues, and will display suspicious verification information, such as verification by third party companies instead of being verified by the vendor. Moreover, all major web browsers will have their own fall-back security measures, which notify users of suspicious sites, and their security algorithms are constantly updated to plug security loopholes as they are discovered.
If you encounter a site you know to be reputable with an SSL certificate that can’t be recognised by a third party (otherwise known as self-signed certificates), you should exit the page immediately and inform the site owner and relevant website authority immediately.
The cyber security cat-and-mouse game is constantly evolving, and users should always be vigilant when surfing the web. Companies should never engage suspicious cyber security solutions provider, and Cyber Secure Asia is committed to protecting cyberspace in Singapore and continues to seek reputable providers such as DigiCert for reliable protection against cyber threats.
About Ashlee Ang
Ashlee is a content writer at Cyber Secure Asia where she writes about introductory topics on cyber security and cyber-related happenings in Singapore & South East Asia.