0

Is there any possibility that a trusted CA can perform a man in middle attack? Since the CA certificate is installed and trusted by the browser it will never raise a warning message. Hope my doubt will be clarified by the security experts. Thank you

Chris
  • 1
  • I see the instance of a CA issuing a malicious cert (which could be used by ISPs or Governments for decryption), but the CA needs to have access to your traffic for it to decrypt it. Are you also asking if the CA Infrastructure would allow for MiTM attacks by somehow compelling traffic to flow through its networks? – amccormack May 08 '15 at 05:50

2 Answers2

1

There are some news articles about existing backdoors on CAs for use by Security Agencies, but the trustworthiness of these news must be checked,

New NSA Leak Shows MITM Attacks Against Major Internet Services

There is no evidence that shows the trusted CAs use their certificates for MITM attacks, because sooner or later will be identified or disclosed and that company will be convicted quickly. So, it seems unlikely that a trusted CA does it.

There are several ways users can detect MITM attacks, even when the certificate seems to be signed by a trusted CA. There are, for example, Firefox plugins available from Certificate Patrol as well as Perspectives that can help users by alerting on “new” certificates that have not been seen before.

Network Forensic Analysis of SSL MITM Attacks

Ali
  • 2,714
  • 1
  • 14
  • 23
  • How can be a MITM easily detected? Any mechanism to detect MITM? My understanding is any CA can do a MITM and also that can't be detected. – Chris May 08 '15 at 05:36
  • dear @Chris the answer was edited. – Ali May 08 '15 at 05:56
0

Any CA can emit (and use) a valid certificate for any domain. It doesn't mean it won't be detectable, as the certificate won't be identical to the genuine one, as they would need the private key (presumably securely held by the site being impersonated).

Certificate pinning will detect it (either built-in the browser, as some do for select sites, or with an extension such as Certificate Patrol), among other techniques.

A CA caught doing that risks having its trust revoked, and be put out of business...

Bruno Rohée
  • 5,351
  • 28
  • 39