In other words, while visiting https://www.mybank.com
, for example, can I always trust the site as long as I click the padlock in the address bar of my browser and find no problem with the certificate?
Asked
Active
Viewed 106 times
0
SilverlightFox
- 33,698
- 6
- 69
- 185
xiaokaoy
- 101
- 1
1 Answers
4
No, you can't trust it. It is possible that:
- The real site has suffered a compromise of its private key
- One of the many certificate authorities whose root certificates are in your browser has suffered a compromise of its signing key
- One of the certificate authorities is not following procedures correctly and is issuing certificates that it shouldn't be
- There's a bug in the browser or a certificate authority's software that allows an attacker to get a certificate issued that the browser trusts
- A government agency has got its own root certificate included in your browser as a trusted certificate authority
- There's a zero-day exploit of the TLS protocol
(Certificate pinning is a mitigation for numbers 2, 3, 4 & 5, but requires more knowledge and experience from the user, and is not yet widely implemented, although Chrome has some support for it.)
Mike Scott
- 10,134
- 1
- 28
- 35
-
2or 6b) SSL/TLS is misconfigured for the site and use or allow old insecure protocols or cipher suites to be used. By far the most common problem... – KristoferA Feb 16 '15 at 10:43