NEWS - May 12, 2014
by Carol~ - 5/12/14 12:21 PM
Significant portion of HTTPS Web connections made by forged certificates
"Scientists unearth first direct evidence of bogus certs in real-world connections" [Screenshot]
Computer scientists have uncovered direct evidence that a small but significant percentage of encrypted Web connections are established using forged digital certificates that aren't authorized by the legitimate site owner.
The analysis (pdf) is important because it's the first to estimate the amount of real-world tampering inflicted on the HTTPS system that millions of sites use to prove their identity and encrypt data traveling to and from end users. Of 3.45 million real-world connections made to Facebook servers using the transport layer security (TLS) or secure sockets layer protocols, 6,845, or about 0.2 percent of them, were established using forged certificates. The vast majority of unauthorized credentials were presented to computers running antivirus programs from companies including Bitdefender, Eset, and others. Commercial firewall and network security appliances were the second most common source of forged certificates.
Continued : http://arstechnica.com/security/2014/05/significant-portion-of-https-web-connections-made-by-forged-certificates/
Related: Researchers Quantify Fake Certificates Used in SSL Connections