0

In other words, while visiting https://www.mybank.com, for example, can I always trust the site as long as I click the padlock in the address bar of my browser and find no problem with the certificate?

SilverlightFox
  • 33,698
  • 6
  • 69
  • 185
xiaokaoy
  • 101
  • 1

1 Answers1

4

No, you can't trust it. It is possible that:

  1. The real site has suffered a compromise of its private key
  2. One of the many certificate authorities whose root certificates are in your browser has suffered a compromise of its signing key
  3. One of the certificate authorities is not following procedures correctly and is issuing certificates that it shouldn't be
  4. There's a bug in the browser or a certificate authority's software that allows an attacker to get a certificate issued that the browser trusts
  5. A government agency has got its own root certificate included in your browser as a trusted certificate authority
  6. There's a zero-day exploit of the TLS protocol

(Certificate pinning is a mitigation for numbers 2, 3, 4 & 5, but requires more knowledge and experience from the user, and is not yet widely implemented, although Chrome has some support for it.)

Mike Scott
  • 10,134
  • 1
  • 28
  • 35
  • 2
    or 6b) SSL/TLS is misconfigured for the site and use or allow old insecure protocols or cipher suites to be used. By far the most common problem... – KristoferA Feb 16 '15 at 10:43