Can digital certificates be forged?


It sounds like good news: According to the Netcraft SSL Server Survey in 2015, more than a thousand times as many SSL certificates were identified as when the analyzes started in 1996. But the apparently significant increase in digital certificates is not enough: "There are Today over a billion websites and only three percent of them are encrypted, a security hole that cybercriminals have easily made a living from, "said Roxane Divol, senior vice president and general manager of website security at Symantec.

Large range of digital certificates

In March 2016, Symantec Encryption Everywhere started in collaboration with a number of web hosting partners. As one of the partners, InterNetX provides free certificates for the encryption of websites with Basic SSL as an entry-level solution for domains that are managed via InterNetX. Basic SSL are DNS-validated SSL certificates. By 2018, InterNetX and Symantec want to achieve comprehensive encryption on trustworthy websites with Encryption Everywhere.

With Let’s Encrypt there is also an open certification authority (CA, Certificate Authority) that distributes free digital certificates. According to Let's Encrypt, over a million certificates had already been issued by March 2016. This is not seen positively by everyone: "Free initiatives like Let's Encrypt make it clear how easy it is for cyber criminals to get certificates. With these real certificates, they can make fake websites look real," says Kevin Bocek, Vice President, Security Strategy & Threat Intelligence, Venafi.

Not every certificate is secure enough

In fact, the mere existence of a digital certificate is no guarantee for online security and also no guarantee that the confirmed digital identity of the certificate holder is really genuine. It is not without reason that the Federal Office for Information Security (BSI) has been listing "fake certificates" as a threat for years.

The study by the Ponemon Institute "Cost of Failed Trust Report" examined how often digital certificates and cryptographic keys were forged in Germany in 2015. According to this, 42 percent of the respondents cannot locate compromised keys and certificates or do not know how to proceed properly. More than half of all respondents admitted that their company had lost customers in the past two years due to the lack of trustworthiness of cryptographic keys and digital certificates.

Validation when issuing certificates is not a matter of course

A major problem when issuing digital certificates is the quality of the validation process. The verification of the applicant means effort that not every certification body makes. Identities can be faked, the fake identity is certified via a digital certificate, a perfect basis for online attacks.