There are companies, SSL certification agencies, whose role it is to act as the middle man, whispering unique encryption codes (SSL certificates) to you and your bank so that only the two of can decipher the information passing back and forth. When your browser starts a bank website conversation, it talks to one of these SSL certification agencies to get a unique encryption code that only you and the bank website can use. This process has become increasingly popular and important to web shoppers. There are several security agencies that serve out unique encryption codes located all over the world. Popular SSL agencies such as VeriSign, a well-known american agency that supplies unique encryption codes to banks.
In addition to encrypting transmitted data, SSL certificates are used to verify the identity of a person or device, authenticate a service or encrypt files, allowing a fraudulent certificate to spoof web content (present fake web pages), perform phishing attacks (maliciously act as a legitimate website) and perform man-in-the-middle attacks (spy on all information passed between a browser and its target server).
Unfortunately, there have been several cases recently where the unthinkable (the compromising of SSL certification agencies) has happened. The two recent SSL certification agency compromises that have occurred in recent months included Comodo, a New Jersey based company with offices around the world, and DigiNotar, a Dutch-based certificate authority. In March of this year, hackers gained access to Comodo’s SSL certificate generation system to fabricate nine fraudulent credentials for big name sites like Google, Yahoo, Skype and Microsoft’s Hotmail. It is believed that as many as 300,000 Iranians may have had their online communications tapped into as a result Comodo’s and DigiNotar’s falsified SSL certificates.
The hacker of Comodo, a 21 year old Iranian student recently told the New York Times that his country (Iran) should have control over Google, Skype, Yahoo, etc. he specifically states “I’m breaking all encryption algorithms and giving power to my country to control all of them.”
The good news is that these hacks are very rare and companies such as Comodo and DigiNotar provide many checks to maintain their security policies. Although these SSL hacks are very rare, they are now know to man to be hackable and our hope of having a safe and secure internet are now postponed. As expected all of the ruling bodies that control the Internet have rallied to identify the root causes of these breaches and are working on future preventable methods.