Root certificate
In
schemes depend on a set of root certificates.A certificate authority can issue multiple certificates in the form of a tree structure. A root certificate is the top-most certificate of the tree, the private key which is used to "sign" other certificates. All certificates signed by the root certificate, with the "CA" field set to true, inherit the trustworthiness of the root certificate—a signature by a root certificate is somewhat analogous to "notarizing" identity in the physical world. Such a certificate is called an intermediate certificate or subordinate CA certificate. Certificates further down the tree also depend on the trustworthiness of the intermediates.
The root certificate is usually made trustworthy by some mechanism other than a certificate, such as by secure physical distribution. For example, some of the best-known root certificates are distributed in operating systems by their manufacturers.
Incidents of root certificate misuse
DigiNotar hack of 2011
In 2011, the
China Internet Network Information Center (CNNIC) Issuance of Fake Certificates
In 2009, an employee of the
In 2015, many users chose not to trust the digital certificates issued by CNNIC because an intermediate CA issued by CNNIC was found to have issued fake certificates for Google domain names[4] and raised concerns about CNNIC's abuse of certificate issuing power.[5]
On April 2, 2015, Google announced that it no longer recognized the electronic certificate issued by CNNIC.[6][7][8] on April 4, following Google, Mozilla also announced that it no longer recognized the electronic certificate issued by CNNIC.[9][10]
WoSign and StartCom: Issuing fake and backdating certificates
In 2016,
WoSign and StartCom issued hundreds of certificates with the same serial number in just five days, as well as issuing backdating certificates.[13] WoSign and StartCom issued a fake GitHub certificate.[14]
See also
- Online Certificate Status Protocol (OCSP)
- Superfish
- SHA-1
- Timestamp
- Verisign
- Google and Symantec clash on website security checks
References
- ^ "What Are CA Certificates?". Microsoft TechNet. 2003-03-28.
- ^ a b "Windows and Windows Phone 8 SSL Root Certificate Program (Member CAs)". Microsoft TechNet. October 2014.
- ^ "476766 - Add China Internet Network Information Center (CNNIC) CA Root Certificate". bugzilla.mozilla.org. Archived from the original on 2020-02-22. Retrieved 2020-01-03.
- ^ "CNNIC发行的中级CA发行了Google的假证书". solidot. 2015-03-24. Archived from the original on 2015-03-26. Retrieved 2015-03-24.
- ^ "最危险的互联网漏洞正在逼近". Archived from the original on 2015-11-21. Retrieved 2015-03-26.
- ^ "Google Bans China's Website Certificate Authority After Security Breach". No. April 2, 2015. Extra Crunch.
- ^ "谷歌不再承認中國CNNIC頒發的信任證書". 華爾街日報. 2015-04-03. Retrieved 2015-04-03.
- ^ "谷歌不再信任中国CNNIC 的网站信任证书". 美國之音. 2015-04-03. Retrieved 2015-04-03.
- ^ "Google and Mozilla decide to ban Chinese certificate authority CNNIC from Chrome and Firefox". VentureBeat. April 2, 2015.
- ^ "Mozilla紧随谷歌 拒绝承认中国安全证书". 美國之音. 2015-04-04. Retrieved 2015-04-04.
- ^ "谷歌宣布开始全面封杀使用沃通CA证书网站,信誉破产的恶果 - 超能网". www.expreview.com. Retrieved 2020-01-03.
- ^ Microsoft Defender Security Research Team (2017-08-08). "Microsoft to remove WoSign and StartCom certificates in Windows 10". Microsoft.
- ^ "CA:WoSign Issues - MozillaWiki". wiki.mozilla.org. Retrieved 2020-01-03.
- ^ Stephen Schrauger. "The story of how WoSign gave me an SSL certificate for GitHub.com". Schrauger.com.