SSL certificates are commonly used to verify the authenticity of encrypted https websites. SSL certificates are proofs of the authenticity of a website issued by trusted entities. They are used to confirm that the browser is communicating with an authentic website. A certificate authority issuing SSL certificates verifies the authenticity of a website directly with the owner of the website address and by utilizing other sources of information.
An SSL certificate is created by generating a public key and a private key for the website that are placed on a web server for the identification of the website, and the public key of the website and a request message signed with the private key of the website are sent using an Internet connection from the web server to the certificate server of a certificate authority that issues certificates. The certificate authority may also have a separate server computer detached from the Internet connection to which the request message can be delivered for signing using, for example, a memory stick. The certificate is created on the server of the certificate authority by signing the certificate using the private key of the certificate authority, and finally, the certificate is sent from the certificate authority's server to the web server. A check sum representing a unique thumbprint of the certificate can be calculated at any time for the certificate.
According to a prior art system illustrated in FIG. 1, when a user 100 starts using a website 14 that applies the SSL/TLS protocol, the web browser 30 on the terminal device 28 of the user 100 sends a request to a web server 12 to deliver a certificate 24 via an Internet connection 32 for verifying the authenticity of the website 14. The web server 12 sends the certificate 24 to the web browser 30 of the user 100 via the Internet connection 32, and the web browser 30 compares the certificate authority 20 that has signed the certificate 24 against the list 40 of trusted certificate authorities 20 embedded in the web browser 30. If the certificate authority 20 is found in the list 40, the web browser 30 allows the user 100 to continue the login, for example; otherwise, the web browser 30 shows the user 100 a warning of an untrusted certificate 24 or of a problem related to the certificate 24. In this case, the user 100 can choose to exit the website 14 avoiding an encrypted connection with a possibly hijacked website 14 or connection. The authenticity of the SSL certificate is verified each time when a website using the SSL/TLS protocol is connected, i.e. upon each click.
However, a problem with this type of authenticity verification is that the user must trust the certificate authority 20 that has issued the SSL/TLS certificate. If, for some reason, the private key PRK_S2 of the certificate authority 20 has leaked from the certificate authority 20 to fraudulent entities, i.e. a mediator (also known as a man-in-the-middle) 18′, this mediator 18′ can create a fake certificate 24′ using the private key PRK_S2 in such a way that it seems for the user 100 and the web browser 30 like a completely authentic certificate 24 coming from the website 14. This is because the authenticity verification of the certificate 24 performed by the web browser 30 determines that the certificate authority 20 that has issued the certificate 24 is included in the list 40 of trusted certificate authorities embedded in the web browser. SSL/TLS connection could be taken over by the mediator 18′ by capturing the certificate 24 sent by the website 14 to the user 100, as well as the public key PUK_S1 contained in it. After this, the mediator 18′ creates a new key pair with a private key PRK_S3 and a public key PUK_S3 and creates a fake certificate 24′ by signing it with the private key PRK_S2 of a valid certificate authority 20 it has acquired somehow. This fake certificate 24′ includes the public key PUK_S3 generated by the mediator 18′. Finally, the mediator 18′ delivers the fake certificate 24′ containing the new public key to the web browser 30 of the user 100. The web browser 30 of the user 100 checks that the certificate authority 18 that has signed the certificate is found in the list 40 of trusted certificate authorities, and cannot detect the falsity of the fake certificate 24′ based on the public key in it. When the user 100 encrypts the connection with the new public key PUK_S3 delivered by the mediator 18′, the mediator 18′ can open the messages with the new private key PRK_S3 generated by the mediator, read the data and re-encrypt it with the public key PUK_S1 of the website 14, and then the web server 12 also assumes that the encrypted data is coming directly from the web browser 30 of the user 100.
In this context, it should be understood that instead of a normal computer hacker, the mediator may be a government entity who gains access to the private key of the certificate authority by exercising its own authority or coercive power.