For a risk analysis I am writing, I have compiled a list of attacks on
CAs that have happened. "History" in the sense of risk analysis.
It isn't mean to be deep, just to give a flavour. Unfortunately for a
real history we would need many more attacks to give some sense of
statistical predictability, sadly our attackers are failing us ;)
Comments welcome, iang.
2001. False certs. An unknown party used weaknesses in validation to get
two certificates issued in the name of Microsoft.com (Guerin). The
attacker was thought to be of the reputational variety: interested in
embarrassment of CA not exploitation.
2003. Phishing. This attack bypasses the security afforded by
certificates due to weaknesses in the secure browsing model (Grigg1).
The existence of an unsecured mode of communication (HTTP) alongside a
secure mode (HTTPS) provides an easy borders-of-the-map or downgrade
attack, which user interfaces offer little resistance against.
Consequences best guesstimate runs at around $100m (FC 1343).
2008 Interface breach. One CA created a false certificate for a vendor
by probing the RA of a competitor for weaknesses (Leyden). Consequences
limited to lowered reputations for all of those involved.
2008 Weak certs. An academic group succeeded in attacking a CA with weak
cryptographic protections in its certificates (Sotirov et al). This
resulted in the attackers acquiring a signed certificate over two keys,
one normal and one that acted as a sub-root. This gave them the ability
to sign new certificates that would be accepted by major vendors.
Consequences were limited to reputational effects as the root that was
attacked was slated to be removed within the month.
2011 False certs. An lone Iranian attacker, ichsunx2, breached
approximately 4 CAs. His best success was to use weaknesses in an RA to
acquire 9 certificates for several high profile communications sites
(Zetter). It was claimed that the attacker operated under the umbrella
of the Iranian state but no evidence for that was forthcoming.
2011 Breached / collapsed CA. The same attacker, icksunx2, breached a
Dutch CA and issued several certificates. The CA’s false certs were
first discovered in an attack on Google’s gmail service, suggested to be
directed against political activists opposed to the Iran government.
Controls within the CA were shown to be grossly weak in a report by an
independent security auditor (FOX-IT1), and the CA filed for bankrupcy
protection (perhaps for that reason). Vendors discovered that revocation
was not an option, and issued new browsers that blocked the CA in code.
Known user damages: rework by google, and vendor-coordinated re-issuance
of software to all browser users. Potential for loss of confidentiality
of activists opposed to Iranian government. Many Netherlands government
agencies had to replace their certificates.
2011. Spear Phishing. A group of 9 certificates were identified in
targetted malware injection attacks (FOX-IT2). As the certificates were
all alleged to be only 512 bits, the conjecture is that new private keys
were crunched for them. One public-facing sub-CA in Malaysia was
dropped, 3 other CAs re-issued some certs and reviewed controls. No
known customer breaches, but probably replacement certs for the holders
(minor).
2011. Website hack. A captive CA for a telecom had its website hacked,
and subscriber information and private IP compromised(Goodin). Attacker
was listed as a hacker who tipped off the media, claiming not to be the
first. Parent telecom shut down the website.
2012. CA breached protocol. A CA announced that it had issued a subroot
to a company for the purposes of intercepting the secure communications
of its employees. This is contrary to contract with vendors and industry
compact. At some moment of clarity, the CA decided to withdraw the
subroot. Consequences: loss or damage to that customer due to contract
withdrawal. Such contracts have been estimated to cost $50k. Destruction
of the equipment concerned, maybe $10k. Loss of reputation to that CA,
which specialises in providing services to US government agencies. Loss
of time at vendors which debated the appropriate response.
References are here:
http://wiki.cacert.org/Risk/History