Last year, MonPass, Mongolia’s certificate authority (CA) was hacked to compromise the server and enable users to download the backdoored client, as reported by the Czech cybersecurity software company, Avast. A compromised CA can potentially disrupt the certificate chain of trust, allowing threat actors to gain unauthorized access.
Popular internet browsers, like Google Chrome, recognize a group of CAs as trusted entities. When you visit a website, the site sends a digital certificate to the browser. Your Internet browser then compares the certificate issuer to the list of the trusted certificate authorities, or root CAs.
How does a certificate chain of trust work?
A root CA, which holds the Trust Anchor, is a certificate authority that possesses multiple trusted roots in the trust stores of major web browsers. In the X.509 terminology, root CA holds the highest position in the trust hierarchy and is responsible for validating the trustworthiness of intermediate and sub CAs, which together form the certificate chain of trust.
The intermediate CA is the mediator between the root CA and the server certificate issued out to the public. The server certificate needs to be signed by the intermediate CA for it to be compatible with all the clients.
The server certificates can be chained back to its root certificate. Upon verification of this certificate chain of trust, the client can initiate a safe connection with the server. If the server certificate fails to be traced back to the root CA, the browser will display warning notifications.
The primary objective of a certificate chain of trust is to prove and validate that the particular digital certificate is issued by a legitimate and authentic entity. If the source of the certificate is trusted and can be linked back to the root CA present in the browser’s trust store, the security of the website will be guaranteed. The users will then be able to communicate to the website safely, without any fear of security breaches.
What causes the certificate chain of trust to break?
The recent trends in cyberattacks indicate the sophisticated and evasive techniques used by the malicious actors to compromise entities managing digital certificates. Stolen digital certificates from trusted vendors are injected with malicious codes, making it challenging to detect them and respond to them.
In the chain, the trust vector traverses several connected entities, who vouch for one another, but it will not be possible if the chain breaks. The gaps in the chains can occur, if:
- Any intermediate certificate lacks expected basic constraints or required extensions
- Your TLS/SSL certificate is not signed by a trusted CA
- Your server is not configured correctly
- Your intermediate certificates are not installed accurately
- SSL certificate of your website has expired or is compromised
- Changes in root ownership
- Faulty certificate authority
- Private key compromise
- Any of the three pieces of a key’s cryptography – key algorithm, key length, or hash function (SHA1, SHA2) is broken
What happens when the certificate chain breaks?
A break in the certificate chain, where certificates cannot be verified, can expose networks to security risks, and obstruct website access leading to warnings like ‘Warning: Potential Security Risk Ahead’, and ‘Certificates not Trusted’ , thus driving users away.
Stolen or forged digital certificates, which can create gaps in the certificate chain, are exploited by attackers to launch man-in-the-middle attacks for eavesdropping SSL/TLS traffic. During such an attack, users are tricked to believe that they are communicating to a legitimate site, whereas in reality they might be exposing sensitive information to attackers.
How to fix certificate chain issues?
- Use certificates issued by trusted CAs: CA-signed certificates provide a high level of assurance and a seal of genuineness by binding the public key with the server or client, given the entity possesses the corresponding private key. Self-signed certificates can work for internal-facing websites, but for external ones, it is advisable to use CA-signed certificates for establishing digital trust.
- Install intermediate CA certificates for client-server authentication: The idea behind installing intermediate CA certificates is to provide an additional level of security, in case of any mis-issuance or other unfortunate security incidents. A client computer validates the server authentication chain to establish a secure SSL connection.
- Manage and monitor certificates: Digital certificates need to be managed and monitored to ensure that they are in the best possible state, considering several variables like expiring month, certificate owners, issuing CAs, etc. Replacing manual processes with automated certificate management tools will help you to manage certificates and keys across hybrid and multicloud environments.