How should we respond to a root CA breach?

Information Security Asked on November 11, 2021

In the unlikely event that a root CA is breached (eg. Comodo, DigiNotar), how should people and companies respond?

(Assume the people responding practice infosec & are aware of the problems of such a compromise)

Possible responses:

  • Assume much of the internet is insecure and temporarily stop/minimize using it
  • Continue internet usage as usual, watching out for issues using common sense
  • Remove certain certificates from the browser and continue with the internet

One Answer

Certificates protect against man-in-the-middle attacks, which are already pretty hard to accomplish on the open Internet. The attacker usually needs to either control a router between user and website or the DNS server used by the user. That's not something a wannabe cybercriminal can pull off from their basement. That's something which is usually done by state actors.

For most regular users it would be good enough to just let the browser vendors assess the situation and wait for them to revoke the root certificate with the next update if they deem it necessary.

But when you are working in a particularly sensitive industry targeted by highly sophisticated attackers, then you might opt to remove the CA's root certificate from your browsers certificate store yourself (how to do that depends on the web browser you are using). The result will be that any website which has a certificate issued by that certificate authority now generates a security warning. You can of course choose to ignore that warning and keep browsing it under the assumption that what you see might actually be a fake website provided by your attackers.

Also note that some websites might use certificate pinning. So your browser will remember who signed the certificate when they first saw the website and reject a certificate by a different certificate authority.

Answered by Philipp on November 11, 2021

Add your own answers!

Related Questions

Help in Suricata rule bitmask syntax problem

1  Asked on January 18, 2021 by khalid


Challenge-Response authentication and SSL

1  Asked on January 16, 2021 by thunderbolt


Network intrusion security warning in router logs

2  Asked on January 15, 2021 by helpme123


Securing Android Application API access

1  Asked on January 13, 2021 by a-android-ucg


Sqlmap and multipart/form-data forms

2  Asked on January 8, 2021 by brigante


Shared Text Content – XSS Safe

1  Asked on January 8, 2021 by newb-4-you-bb


Ask a Question

Get help from others!

© 2023 All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP