2

If an adversary took over a major Certificate Authority, what bad things could they do? Aside from the obvious attacks, what could they do in the context of the Public Key Infrastructure as a whole?

schroeder
  • 123,438
  • 55
  • 284
  • 319
Brooney
  • 63
  • 4
  • 2
    What "obvious" attacks are you considering? What is "the Public Key Infrastructure as a whole"? – schroeder Apr 28 '20 at 14:58
  • @Shroeder when thinking about the public key infrastructure, if an adversary took over a major CA, what kinds of bad things could they do? – Brooney Apr 28 '20 at 15:03

1 Answers1

3

This has happened. In 2011, the CA Diginotor was breached by a malicious actor, enabling the malicious actor to issue fraudulent certificates for any site on the internet. These certificates were trusted by most web browsers, because most web browsers had Diginotor's root CA certificate installed in their trust stores. This made it possible for anyone with control of a user's network connections to pull-off a man-in-the-middle attack for connections by that user to any site on the internet.

In the case of the Diginotor attack, it is suspected that the Iranian government took advantage of the Diginotor breach to issue false certificates for gmail.com, then used these certificates to conduct MITM attacks by way of its state-run ISP's to spy on its citizens' gmail accounts. Comodo may have also been hacked.

Nowadays, there are standards in place to protect against these types of such as DNSSEC/DANE. But, adoption has been slow.

What's scary is that it could happen again. And, it wouldn't even require a hack. The malicious actors would simply need to write a check, and acquire a CA. A number of CA’s have been acquired in recent years for under $1B (e.g. Symantec's CA business was acquired for $950M in 2017), which is nothing for a well-funded terrorist group, and pocket-change for a rogue nation.

mti2935
  • 19,868
  • 2
  • 45
  • 64
  • 2
    The fact that money is the only barrier to such a significant position of trust is a huge issue. Likely it's not in any major player's interests to act against the customers in such an obvious way, but the potential for under that table abuse is and remains huge. The fact that many major registration organisations don't support the only real amelioration: DNS CAA, is also a worry. – Peter David Carter Apr 28 '20 at 15:36
  • 1
    thanks for the great answer – Brooney Apr 28 '20 at 20:25