In the process of looking at how HTTPS/SSL (Hypertext transfer protocol secure/Secure socket layer) is vulnerable, the Electronic Frontiers Foundation (EFF) has unearthed evidence showing that at least four Certificate Authorities (CAs) discovered that they were compromised in the past four months.
CAs are responsible for authorising the digital certificates that determine which websites browsers can trust.
As part of its explanation of how HTTPS/SSL can be broken, EFF studied the Certificate Revocation Lists (CRLs) that CAs publish and that are seen by EFF's SSL Observatory. When CAs revoke a certificate, they can opt to specify a reason why it was revoked — one reason being that they were compromised.
However, not all CAs are honest in disclosing that they have been breached. EFF technology projects director Peter Eckersley told ZDNet Australia that he was certain that others had been compromised, and only listed "Unspecified" or "Null" as the reason for revocation.
EFF's most recent scan of the lists revealed 248 instances where certificates had been revoked, because the CA had been compromised. Those instances can be attributed to 14 CAs, or, in other words, 14 CAs were honest enough to disclose that they had been compromised.
However, when EFF conducted a scan of the CRLs in June, there were 55 certificates that had been revoked due to CA compromise, provided by 10 CAs. This meant that between June and now, four CAs had become aware that they had been compromised.
While Eckersley said that he has a list naming the CAs that have been compromised, it would be irresponsible to name them, as it would target honest compromised CAs while sparing the secretive ones.
So far, there have only been four highly publicised instances of CAs being compromised. CAs Comodo, DigiNotar, GlobalSign and StartCOM have been in the spotlight after a hacker, who goes by the name of "Sun Ich" on his Twitter stream and emails, compromised Comodo in March, claimed responsibility for the DigiNotar attack in early September and also claimed to have breached GlobalSign and StartCOM's servers.
However, while GlobalSign halted the signing of certificates for a short period, it said that it was not compromised, and, similarly, StartCOM also denied having been compromised.
Eckersley was able to confirm that neither company, nor Comodo, was one of the four.
Eckersley also confirmed that DigiNotar was one of the four CAs that had been compromised in the past four months. It is clear that the now-bankrupt company stated that CA compromise was the reason for only a few of its revoked certificates. It revoked 531 certificates in September, but EFF's recent findings show only 248 CA-compromised revocations in total.
With DigiNotar out of the picture, it leaves three unknown CAs that have been compromised, but which have not disclosed this fact anywhere else but on its CRL — and which possibly never will.
However, Eckersley did state that of the total 14 compromised CAs, they were scattered around the world.
"They appear to be based in 10 different countries, spread across North and South America, Europe, the Middle East and Australasia."
Sun Ich said last month that he had access to three more CAs, and that he had planned a global expansion of his hacking campaign, but it is unclear whether these incidents are related, or whether there are even more CAs that not disclosed their breaches.