Bad SSL Certificates

Hello,
Can a company that provide SSL certificate, snooping on my server or even take down my site? For example, I use SSL from ssl.com for a domain like “my-example.mydomain” and ssl.com doesn’t support “.mydomain” and take site down.

Thank you.

SSL certificates are provided by a very select list of certificate authorities who are generally of trust. There are also some countries that require government provided certificates.

SSL certificates have a history of being used to spy on users via MITM (and sometimes sent this way).

If users of your website receive a false certificate under a malware/MITM (man in the middle attack), where attacker’s machine impersonates server on the network. This would be a danger to your users if your website is targeted for this (could result in information being compromised, sent from users to site, and redirection of malware/other data from MITM server to user). Danger to the site depends on targeted user’s site edit/read permissions.

Today generally, if website certificate does not match the valid signed cert authority a user sees a message/padlock problem on the browser.

Root certificates on other hand can be huge issue if installed on the computer of a remote administrators (especially if this user is an administrator privileges).

To better understand root cert problems, look into “Superfish”. In this case a root certificate came installed on all Lenovo Laptops for a time per. This caused US gov to ban Lenovo products.

Superfish root certificate had a universal password “komodia” allowing reading of all supposedly SSL encrypted data. There was proxy/redirection and even a rootkit. More on Superfish here: https://www.forbes.com/sites/thomasbrewster/2015/02/19/superfish-history-of-malware-and-surveillance/#21996d68527b

Root certificates are a huge, seldom discussed danger- because everything behaves as it should (green padlock, no obvious signs of foul play).

Hope this helps.

2 Likes

Thank you for your great advice.
How “Superfish” came to Lenovo Laptops?
I want to know the companies that issue the certificates could using theirs certificates to bring a site down?

Installed on computer before sale to customers. Somewhere along the line Lenovo apparently reached contract with the company for software preinstallation tradeoff, posing as an advertiser affiliate company.

Your last question is super unlikely (and unheard of). If something like that happened (it won’t), said company would become distrusted by all, losing their position as trusted cert authority, throwing away everything they ever worked for.

If you believe your website is this hated, all other types of attacks are more likely to happen, cert authority isn’t going to get involved. If someone wants a website there are other paths making more sense. This isn’t going to happen. At least not involving the cert authority.

Much more likely a hacker will attempt to send forged/home made certs they have control over. They would have to gain enough access to the network hosting either your site, or the visitor being targeted.