In a previous post we discussed how SSL was developed & how SSL and certificate authorities (CA) help to protect information that is transferred over the internet. But recently there had been a lot of talk about the trustworthiness of certificate authorities. This discussion was sparked by the discovery of a certificate authority being compromised by hackers. Using this CA hackers manage to issue fake certificates for Google, Yahoo!, Mozilla, WordPress and others. Not long after, another widely used CA was hacked, at present at least four CAs are suspected to have been compromised.
The problem is any trusted root CA or a sub CA can issue a certificate for any website on the internet. If the certificate is requested through standard certificate request process the CA would generally validate the ownership of the site, but if a hacker manages get control of the CA they can issue certificates for any site they wish. Root certificates of all trusted CAs are stored on popular web browsers like IE, Firefox and Chrome. Because of this any certificate, even a fake one, issued by a trusted root CAs is displayed as a trust SSL encrypted website.