TransWikia.com

How should we respond to a root CA breach?

Information Security Asked on November 11, 2021

In the unlikely event that a root CA is breached (eg. Comodo, DigiNotar), how should people and companies respond?

(Assume the people responding practice infosec & are aware of the problems of such a compromise)

Possible responses:

  • Assume much of the internet is insecure and temporarily stop/minimize using it
  • Continue internet usage as usual, watching out for issues using common sense
  • Remove certain certificates from the browser and continue with the internet

One Answer

Certificates protect against man-in-the-middle attacks, which are already pretty hard to accomplish on the open Internet. The attacker usually needs to either control a router between user and website or the DNS server used by the user. That's not something a wannabe cybercriminal can pull off from their basement. That's something which is usually done by state actors.

For most regular users it would be good enough to just let the browser vendors assess the situation and wait for them to revoke the root certificate with the next update if they deem it necessary.

But when you are working in a particularly sensitive industry targeted by highly sophisticated attackers, then you might opt to remove the CA's root certificate from your browsers certificate store yourself (how to do that depends on the web browser you are using). The result will be that any website which has a certificate issued by that certificate authority now generates a security warning. You can of course choose to ignore that warning and keep browsing it under the assumption that what you see might actually be a fake website provided by your attackers.

Also note that some websites might use certificate pinning. So your browser will remember who signed the certificate when they first saw the website and reject a certificate by a different certificate authority.

Answered by Philipp on November 11, 2021

Add your own answers!

Ask a Question

Get help from others!

© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP