Skip to main content


Rogue certificates, misplaced trust

A digital certificate that should ensure websites are legitimate can be untrustworthy due to rogue certificate authorities, breached authorities, a beaten domain control check or a hijacked Domain Name Server. A Certification Authority (CA) is an authority or business which issues or sells digital certificates that make sure that for example online transactions are secure and that the parties that are involved are authenticated correctly. These digital certificates (for example SSL and TLS certificates) can be used by malicious individuals to impersonate others, which can cause security issues for many websites. The CAs operate within a so-called Public-Key-Infrastructure (PKI), which in simple terms is an environment that includes everything that manages public-key encryption (for safe access to websites) and the distribution of certificates. For example, a web browser uses digital certificates issued by CAs to secure internet connections (shown by a lock symbol in the address bar).

Web browsers usually trust these CAs to issue valid certificates. However, if a CA goes rogue or is hacked, the issued certificates, which appear to be valid and are trusted by web browsers, can be used for malicious goals. This in turn leads to misplaced trust between the web browsers and CAs. For example, a CA gets hacked, and hundreds of certificates fall into the hands of a malicious hacker. The hacker can then impersonate many websites and use this for harmful goals such as fraud, misinformation and spreading of malware. If a CA becomes untrusted, browsers may block all traffic to and from websites using their certificates thereby crippling part of the internet. Rogue certificates are hard to revoke and blocking them is hard or impossible for end-users, this needs to be done by CAs and browser vendors. 

Related keywords: server authentication, signed digital certificates, compromised authority, trusted root, man-in-the-middle attacks, certificate transparency, DNS hijacking, signed malware, fake SSL certificates.