Skip to main content
banner image
venafi logo

Broken Trust – Exposing the Malicious Use of Digital Certificates and Cryptographic Keys

Broken Trust – Exposing the Malicious Use of Digital Certificates and Cryptographic Keys

November 7, 2013 | Gavin Hill

Digital certificates and cryptographic keys are interwoven into our everyday lives. Think about it: from accessing the Wi-Fi hotspot at your local coffee shop to flying across the county, keys and certificates are entwined into the very fabric of cyber-space. They help to authenticate and secure person-to-machine and machine-to-machine communications—creating the foundation for secure online transactions. Data at rest or in transit is secured by keys and certificates. They establish trust.

But what happens when trust is broken? When malicious actors take advantage of trust established by keys and certificates, turn that trust against you, and use certificates and keys for nefarious gain. That’s exactly what is happening. The last few years have seen a rampant increase in the use of keys and certificates as an attack vector against organizations. It’s important to recognize cyber-criminals’ motives and techniques to understand how to better protect yourself from the onslaught of attacks on keys and certificates.

Generally, there are three types of cyber-criminals: cyber-crime actors, cyber-espionage actors, and other threat actors such as hacktivist groups. Cyber-crime actors are motivated by financial gain, whereas cyber espionage actors are driven by the collection of intellectual property (IP). Hacktivists, on the other hand, are motivated by ideologies such as religious beliefs, or political views.

Image removed.

Venafi collaborated with ISIGHT Partners to highlight some examples of how reliant society is on keys and certificates, and how cyber-criminals exploit keys and certificates to gain illicit access to organizations. ISIGHT Partners provides detailed information about the different types of cyber-criminals, including:

  • Threat actor threat sources
  • Threat actor attack methodologies
  • Threat actor attack surface

What’s very evident from the research is that cyber-criminals will use any tactic they can to gain access into an organization’s network. The Broken Trust white paper includes a few case studies that show exactly how cyber-criminals use keys and certificates to their advantage, exploiting the trust keys and certificates are meant to establish. Some of the case studies include:

  • Using certificates in a spam campaign
  • Pharming
  • Using Secure Shell (SSH) to infiltrate a network and expand a user’s rights within that network
  • Using Secure Sockets Layer (SSL) to disguise communications

The alarming part is that the examples in the paper are by no means an exhaustive list. On a daily basis, news outlets report new ways cyber-criminals are taking advantage of the blind trust most organizations have in keys and certificates.


Download your copy of the Broken Trust whitepaper to learn more.

Like this blog? We think you will love this.
compromised android platform certificate
Featured Blog

Compromised Platform Certificates Used to Sign Android Malware for Samsung, LG and Others

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

Subscribe Now

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more