Sarasota, FL, October 31, 2011/Internal Release/ - Consumers rely on signals from their web browser to ensure a website is legitimate before inputting any sensitive information, and web browsers verify a website’s legitimacy by confirming it has a valid digital certificate. Digital certificate authorities, such as Verisign and others, ensure that data remains encrypted as it travels from the consumer’s web browser to the website server, and consumer’s have been trained to look for certain signals, such as an https:// URL. However, recent hacks have enabled fraudsters to forge digital certificates and issue them to their own, illegitimate web pages, which threatens the level of trust these digital certificates and trust marks represent.
This past summer a hacker gained access to DigiNotar, a Dutch digital certificate authority, and was able forge their digital certificates. The fraudster then issued over 500 forged, but valid, digital certificates to fake websites impersonating Microsoft, Google, Facebook, Twitter, Equifax and others. These fake websites were likely sent as links in phishing emails or were landing pages for consumers that fell victim to a Man-in-the-Middle Attack. DigiNotar ultimately filed bankruptcy as a result of this fraud attack but aren’t the only ones to experience this problem. A Japan-based digital certificate authority and another from the United States were victimized by similar attacks in the summer of 2011 as well.
If fraudsters have the ability to forge digital certificates than they have the ability to impersonate any website they wish. Consumers can build a false sense of security believing they are at a legitimate website because their web browsers confirm the site’s certificate and therefore recognizes the web page as authentic. However, if the consumer does log-in or provides any sensitive information they are handing it right to the fraudster. Fraudsters being able to compromise the digital certificate authorities can result in the identity thefts of thousands of consumers, but it can also undermine the confidence consumers have in the security of the internet and internet transactions. With many fraudsters and scams lurking the internet consumers rely on digital certificates to assure them it’s safe to transmit their sensitive information over a website. But when hackers can breach and forge these certificates it threatens the very foundation of trust in internet security.