Web trust dies in darkness: Hidden Certificate Authorities undermine public crypto infrastructure

2021-11-19 04:00

Security researchers have checked the web's public key infrastructure and have measured a long-known but little-analyzed security threat: hidden root Certificate Authorities.

You can be reasonably confident that your bank website is actually your bank website when it presents your browser with an end-user or leaf certificate that's linked through a chain of trust to an intermediate certificate and ultimately the X.509 root certificate of a trusted CA. Each browser relies on a trust store consisting of a hundred or so root certificates that belong to a smaller set of organizations.

Researchers affiliated with universities in China and the US recently examined the certificate ecosystem and found that there are a great many hidden root certificates.

"In total, over 1.17 million hidden root certificates are captured and they cause a profound impact from the angle of web clients and traffic," the researchers report.

Hidden root certificates refer to root CAs that are not trusted by public root programs.

Even in scenarios where hidden root certs were being used legitimately by government agencies and enterprises for appropriate purposes, the researchers found implementation flaws - 75 per cent of those certificate chains had verification errors from weak signature algorithms.

News URL

https://go.theregister.com/feed/www.theregister.com/2021/11/19/web_trust_certificates/

#certificate #crypto #infrastructure #WEB