Hackers can create spoofed security certificates for fake websites.
Hacks waged against companies that issue security certificates for websites are calling into question long-standing domain name verification practices.
The most headline-grabbing attacks, launched by the so-called Comodohacker against certificate authorities Comodo and DigiNotar, aim to gather certificate information for frequently used social sites such as Google. With certificate information, anyone with access controls at an Internet service provider could easily create a ghost site, one that under common Internet browsing behavior and standards would be difficult for the average Web user to spot. With a ghost site, hackers could attempt to defraud unsuspecting users.
Difficulty in citing suspicious ghost or spoofed sites has been exasperated by mobile browsing. "We could be browsing fake sites, a fake Google site, and not know that we're doing anything badly," says Bob Walder, chief research officer at NSS Labs, an IT security research and testing firm. "The train of trust will appear to be unbroken on an iPhone and Android phone."
Part of the problem is user behavior. Most online users trust that sites matching the URLs they enter are safe. But another part of the problem lies in the way certificates are verified - ultimately a system that has been built on trust and honors, say security experts such as Michael Smith of Akamai Technologies.
Jerry Bryant, group manager of response communications for Microsoft Trustworthy Computing, says Microsoft's Internet Explorer assures users that sites are legitimate by displaying lock icons in the browser security status bar. "That will let the user visiting the website know that the site has a digital certificate," he says. "The certificate that is used to encrypt the connection also contains information about the identity of the website owner or organization. You can click the lock to view the identity of the website. Normally, you won't have to think about certificates at all. You might, however, see a message telling you that a certificate is expired or invalid. In those cases, you should follow the instructions in the message."
http://www.bankinfosecurity.com/articles.php?art_id=4067