Skip to main content
banner image
venafi logo

SSL/TLS Attacks, Part 2: Where Can Cybercriminals Access Digital Certificates?

SSL/TLS Attacks, Part 2: Where Can Cybercriminals Access Digital Certificates?

Cybercriminals abuse digital certificates
February 8, 2019 | Guest Blogger: Jack Walker

In my last post, I discussed why attackers go after digital certificates. The simple answer is that criminals are interested in obtaining machine identities. However, the way criminals go about getting them has historically taken numerous different approaches.

Some attackers have looked to compromise the CA itself, in order to issue their own certificates across various web domains, while others have looked to simply buy stolen certificates online. A recent study from the Cyber Security Research Institute (CSRI) revealed that certificates could be available to buy on the dark web for just over a thousand dollars ($1,200). In some cases, criminals have even been able to abuse free certificates issued by Let’s Encrypt.


Once they have these machine identities, criminals are largely in the clear. The digital certificates used to cryptographically sign executable code and documents, issued by the CA and trusted by you or your computer, are more likely to accept and execute actions without warning messages. This makes it a good vehicle for delivering malicious software and other nefarious items.

As a result, many experts have said that digital certificates—and the PKI environments which they sit within—are at risk and should be a worry for many organizations big and small, and in the public and private sector.

Others have blamed CAs themselves as a ‘weak link’ in Internet security, a notion so widespread that last year Google decided to acquire several root certificates so it could issue its own digital (TLS/SSL) certificates rather than rely on third-party firms. As a result of this, any firm now wishing to connect to a Google service will need two root certificates specified by Google. In short, the search giant and the world's most popular website is also now its own root certificate authority.

“CAs have the power to issue digital certificates for domains even if the digital certificate for a particular domain already exists,” said European cyber-security agency ENISA in a recent report.

“As previous incidents suggest, CAs can be abused either internally by the mismanagement of their service or by a third-party due to a security breach, with severe consequences for Internet security.”

Furthermore, the problem for organizations is not solely the loss of such certificates, but also how they react afterwards. Once a legitimate code-signing certificate has been stolen, even after it has been discovered, it can be difficult to revoke. As CSO Online explains, that’s because revoking will “means all the legitimate software signed by the certificate will no longer be accepted as legitimate, either.”

You can trace the major attacks on CAs back to 2011, when an attack on Comodo ultimately resulted in the fraudulent issuance of nine digital certificates across seven different domains, across Yahoo, Google, Skype, Mozilla and others. All of these certificates were revoked immediately upon discovery.

All of these attack vectors illustrate the need for organizations to manage and protect their machine identities against theft or compromise.

Do cyber criminals have access to your machine identities?


Related posts

Like this blog? We think you will love this.
Featured Blog

Lloyd's Backs Off Insurance for State-Sponsored Cyberattacks

Cyber related businesses are ‘e

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

Subscribe Now

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Guest Blogger: Jack Walker
Guest Blogger: Jack Walker
Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud

Venafi Cloud manages and protects certificates

* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
* Please fill in this field
* Please fill in this field
* Please fill in this field

End User License Agreement needs to be viewed and accepted

Already have an account? Login Here

get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more