Posted on October 14, 2019 at 1:30 PM

SSL Certificates Usually Incorrectly Issued Due to Human Factors and Software Bugs

SSL certificates are steadily becoming more and more part of everyday life. As many companies and private users desire more and more privacy, they turn to SSL in this new age of technology. Even so, the prevalence of SSL certificates improperly issued is staggering. On top of that, 42% of these incidents are directly linked to software bugs and human factors within the bodies that issue SSL certificates.

This was shown to be true by a research team from the School of Informatics and Computing within the Indiana University Bloomington. This study investigated 379 instances of improperly issued SSL certificates, out of a total of 1300 known events. For the interested parties, the full investigation will be linked here.

The goal of this research was to investigate Certificate Authorities (CAs) to see whether or not they adhered to their industry standards. On top of this, it was set to find out what the most common reason behind improperly issued SSL certificates.

Organizations that give out SSL certificates, be it free or priced, are CAs. These SSL certificates allow users to encrypt communications between clients and servers via an HTTPS connection. The CA/B Forum regulates the activity of the CAs. This forum’s user base is made up of OS and browser creators that work alongside the CAs.

As the years went on, CAs have made multiple errors. Usually, these errors involve the CA itself not following its own rules, leading to misissues of SSL certificates. Among these many wrongly issued SSL certificates, some have been used in so-called man-in-the-middle attacks or MitMs. These attacks intercept HHTPS signals and a “middleman” into the data exchange, allowing hackers to steal whatever private information you send to the site.

This was mostly possible due to CAs issuing certificates without following the due process: Be it human error, accident, or trying to cut costs to increase profits. Whatever it may be, the human factor is pronounced.

CAs have been caught backdating SSL certificates as well in an attempt to avoid deprecation timelines. Things like issuing SSL certificates without proper verification of a buyer’s legitimacy, or issuing certificates that make use of weak or non-compliant algorithms.

The Errors

 The Indiana University Bloomington team has discovered that the most common reason for SSL mississue is nothing more than a software bug within the CA’s system. Of the 379 cases, 24% (91 cases), were guilty of improper software.

Second place was given to CAs misinterpreting CA/B regulations, or that the CAs were blissfully unaware that the rules have recently changed. It accounted for 18% (69 cases) of the SSL mississues.

Third place and the first malicious reasoning was due to CAs putting profit over compliance. These groups consist of 14% (52 cases) of the errors. These incidents include directly selling certificates for MitM attacks, issuance of rogue certificates, or backdating SHA-1 certificates to evade prohibition. Some groups even charge to revoke compromised SSL certificates.

Fourth place was given to plain old human error. An even 10% (37 cases) was classified as this.

Fifth place was given to so-called operational errors. A fancy way of saying the CA’s internal procedures had a fault, instead of software or human error. This accounted for 8% (29 cases).

Sixth was given to something called non-optimum request check. What this means is the CAs didn’t properly investigate the individuals that are requesting an SSL certificate, which allows a rogue agent to impersonate an otherwise legitimate entity.

The final considerable factor was dubbed improper security controls. This is just a catch-all term for when various CAs were hacked or otherwise lost control of their infrastructure. This, by extent, allowed malicious actors the ability to issue their own SSL certificates. Of the 379 cases, 4% (15) were guilty of this.

Other, far less relevant factors are changing Baseline Requirements, where CAs were lagging with rule-change. Beyond that, it was blamed on general infrastructure problems due to unavailable servers, hardware problems, etc. Others were organizational constraints due to their country.

CAs Responsible:

The most problematic CAs seemed to be things like StartCom, Digicert, WoSign, Comodo (AKA Sectigo), VISA, Quo Vadis, GoDaddy, Camerfirma, Certum, and SwissSign.

Interestingly enough, the top 10 most problematic CAs have managed to hoard over half the issues presented in the study. It suggests that it may just be a case of bad apples. The researchers themselves suggest that these entities be penalized to deter them from doing that again.