Secure protocols, such as the Secure Sockets Layer (SSL) protocol, are widely used to protect data transmitted on the Internet, such as between a user's application and a web site server. Often, the connection is secured by using a certificate returned from the web site to share a key with the web browser of the user's computing system. In some instances, a user is prompted for input of one or more user credentials, such as a username and password and to validate the authenticity of the server. In other instances, the only user interaction may be to approve the certificate returned from the web site.
The web browser typically checks to see if the signer of the certificate matches a known signer, e.g., a Certificate Authority (“CA”). If the signer of the certificate matches a known signer in the certificate, the web browser allows the connection. If the signer of the certificate does not match a known signer, the web browser typically generates an alarm notification to the user so that the user can determine whether or not to continue the connection. Thus, when a user browses to a website and sees a proper certificate from known signer, i.e. a CA (Certificate Authority), and the browser does not show any alarm message, a user typically assumes that the web site is legitimate and any communication is secure. Unfortunately, some computer attacks utilize a seemingly legitimate certificated by issuing a certificate signed by a compromised CA. As the compromised CA is otherwise trusted by the web browser, the web browser recognizes the certificate to be from a known (legitimate) signer, and the user is not aware that the website is presenting a compromised certificate. Communication with the website appears to be secure, but an attacker can intercept every detail of the communication and also manipulate the data of the communication. This attack is often referred to as a “man-in-the-middle” attack.