Service providers issuing fake digital certificates undermines Internet security, warn experts

Tools

The issuing of fake digital certificates, such as the ones issued by in-flight Wi-Fi provider Gogo to prevent users from visiting YouTube, can undermine security and lead to man-in-the-middle attacks in which attackers are able to intercept internet traffic.  

"We have seen man-in-the-middle attacks for years--there is no reason to suspect these attacks to lessen despite the ominous warnings the browser manufacturers have put in place concerning 'invalid server certificate,'" Garret Grajek, chief security officer at dinCloud, is quoted by TechTarget's SearchSecurity as saying. "Hackers count on most (or some percentage) of users to just 'click through,'" Grajek adds.

While Gogo was not issuing fake certificates to steal data, the practice of using fake certificates is a well-worn technique used by attackers to engage in nefarious activities.

Some security experts are concerned that the increasing use of transport encryption could undermine the security provided by digital certificates, particularly if service providers issue fake certificates as a regular practice.

"Unfortunately, this is not a new risk and is pervasive across the Internet. It's best if business providers like Gogo don't complicate the matter by creating more confusion and risk with what looks like malicious certificates that could be used to spoof and monitor private communications," Kevin Bocek, vice president of security strategy and threat intelligence at Venafi, is quoted by SearchSecurity as saying.

For more:
- check out the SearchSecurity article

Related Articles:
In-flight Wi-Fi provider Gogo issues bogus digital certificates that expose YouTube user data
Report: 5 million Google account logins, passwords leaked
Firms still hemorrhaging from Heartbleed