So how does a Certificate Authority attack work? Certificate bandits break into companies–such as Comodo and Diginotar–that issue digital credentials that your browser uses to verify a website’s identity. This credential tells your browser that the site can be “trusted,” i.e. that it’s not dangerous. Certificate bandits, however, can undermine this entire process by issuing fake certificates to themselves that allow them to masquerade as “safe” sites, such as Google, Mozilla, Skype, and AOL.
Here are four ways you can protect yourself from hackers wielding fraudulent certificates.
1. Keep your browser up to date.
Browser makers are quick to react to news of CA hacks, and block them by pushing out fixes to their products. Though some browsers do this with automatic updates, others require manual updating. Know how your browser updates itself (or, doesn’t) and make sure you’re running the latest version of the program. The faster your browser is updated, the faster hackers will be thwarted.
2. Enable certificate revocation in your browser.
3. Customize the root certificates in your browser.
Most browsers include a number of “root certificates” in them by default. Such credentials act as blanket permissions to accept all the certificates from a CA. For example, in the recent DigiNotar case, a root certificate for that CA installed on a browser would allow any certificates issued by the CA to be automatically trusted—even fake ones. Recognizing that, the major browser makers—Microsoft, Mozilla and Google—swiftly removed the DigiNotar root certificate from their products. In some browsers, you can manually disable root certificates, although this may push your technological savvy and patience. There can be more than 100 roots in a browser and editing the trust settings in each one can be very time consuming.
4. Always look for the green bar inside your browser’s address bar.
That’s a sign that the certificate for the URL in the address bar has been subjected to an “extended validation” process. Not all websites have them, but many high-profile sites do. “That’s your assurance that the certificate holder has gone through a very rigorous, documented process of authentication and vetting,” Symantec Technical Director Rick Andrews explained to PC World. “By definition EV certs can’t be instantly issued. They have to be vetted by humans.”
Follow freelance technology writer John P. Mello Jr. and Today@PCWorld on Twitter.