Home » Topics » Cybersecurity » Hackers steal web security certificates

Hackers steal web security certificates

Avatar photoby Ben Rossi

Hackers managed to infiltrate an organisation that issues HTTPS web security certificates earlier this month, almost triggering what privacy advocacy group the Electronic Frontier Foundation described as "an Internet-wide security meltdown".

HTTPS certificates allow web site operators to secure online transactions by informing a visitor’s web browser that the site can be trusted. They are issued by certificate authorities, whose responsibility it is to make they are only issued to trusted web sites.

Iran confirms cyber attack on nuclear facilities Iranian president Ahmadinejad accuses West and Israel of infecting nuclear centrifuges with malicious software, widely believed to be Stuxnet
Is cyber attack as threatening as terrorism? The government’s new defence strategy raises cyber attacks to a ‘tier one’ threat

On March 17th, browser makers Mozilla and Google issued software updates that blocked a number of security certificates. An investigation by online anonymity technology group Tor discovered that these certificates had all been issued by the same certificate authority, Comodo.

Following the investigation, Comodo revealed that it had been compromised by hackers that appear to have been operating from Iran. The hackers managed to obtain HTTPS certificates for a number of high profile websites, including Google, Yahoo and Mozilla.

Were it not for the software updates, hackers could have used these certificates to trick browsers into trusting any website they chose.

Comodo says that potential damage was not so great, as the hackers did not get their hands on its master "private keys".

But according to the Electronic Frontier Foundation, the episode has revealed the vulnerability of the current security certification system.

"The incident got close to — but was not quite — an Internet-wide security meltdown," wrote senior staff technology Peter Eckersley yesterday. "As this post will explain, these events show why we urgently need to start reinforcing the system that is currently used to authenticate and identify secure websites and email systems."

Avatar photo

Ben Rossi

Ben was Vitesse Media's editorial director, leading content creation and editorial strategy across all Vitesse products, including its market-leading B2B and consumer magazines, websites, research and...

Related Topics

Related Stories

Cybersecurity

How AI will shift the security landscape in 2024

The impact of AI within cybersecurity is expected to grow significantly this year, says Alex Holland, senior malware analyst at HP

AI & Machine Learning

NCSC releases guidelines for secure AI development

New guidance from the National Cyber Security Centre (NCSC) aims to help businesses securely innovate with AI and minimise risks

Cybersecurity

3 cybersecurity compliance challenges and how to address them

Earning those trust seals can strengthen relationships with board members and prospective customers, but it sure isn’t easy.

Cybersecurity

70% of UK firms reported cyber insurance changes in past year

According to research from Databarracks, seven in 10 UK businesses have seen changes to their cyber insurance in the past 12 months, as requirements rise