Latest in Gear

Image credit:

Companies could use 'intermediate' web security certificates to spy

Intermediate certificate authorities are just as potent as the root CAs that form a secure web.
1 Shares
Share
Tweet
Share
Save

Sponsored Links

A certificate authority (CA) is a trusted entity that issues electronic certificates (duh) to verify identity on the Internet. They're a key part of secure communications online -- and thus super important. Then there's intermediate CAs, signed by a root CA, making certificates for any website. However, they're just as powerful as those root ones. Worse still, there's no full list for the ones your system trusts because root CAs can make new ones whenever it wants, and our computers will trust 'em immediately. This is a problem when companies get their hands on them, although they could have legitimate reasons for using an intermediate CA within their own networks.

Companies (in this case Blue Coat Systems, a web security firm which has an intermediate CA signed by Symantec last year) could use its CA to view your web traffic and decrypt it anywhere -- not just on specific networks. "Man in the middle" attacks (MiTM) could mean anyone with a intermediate CA could take whatever you throw into the web (as you assume a site was secure), and secretly relay and even tweak communications between you and said site.



Filippo Valsorda, from the CloudFlare Security Team, notes that thousands have been logged already, and picked up an intermediate CA to explain how to untrust these types of CA explicitly. There's instructions for both Mac OS and Windows. The problem remains, that while it would stop that intermediate CA, it won't stop the root CA from making a new intermediate to the same organization.

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.
Comment
Comments
Share
1 Shares
Share
Tweet
Share
Save

Popular on Engadget

The 2019 Engadget Holiday Gift Guide

The 2019 Engadget Holiday Gift Guide

View
Mach-E leak reveals a lot about Ford's electric Mustang SUV

Mach-E leak reveals a lot about Ford's electric Mustang SUV

View
Amazon is challenging Microsoft's $10 billion JEDI contract victory

Amazon is challenging Microsoft's $10 billion JEDI contract victory

View
Microsoft is adding 10 'Final Fantasy' games to Xbox Game Pass

Microsoft is adding 10 'Final Fantasy' games to Xbox Game Pass

View
'West of Dead' is a fast-paced shooter starring Ron Perlman

'West of Dead' is a fast-paced shooter starring Ron Perlman

View

From around the web

Page 1Page 1ear iconeye iconFill 23text filevr