Public key infrastructure is the backbone of Hypertext Transfer Protocol Secure (HTTPS) on the Internet. Although it is widely recognized as complicated and architecturally weak, public key infrastructure is the only infrastructure adopted globally and there is not a viable replacement to date. A certificate authority (CA) is the root of trust in public key infrastructure. Browsers and operating systems build in static lists of trusted root CAs, only updatable through patches, new software installation or manually by the end user. The number of trusted CAs is over 1500 managed by over 50 countries. Compromise of a root CA is disastrous, the most notorious being the Comodo and DigiNotar breaches.
In the DigiNotar breach, the root CA was hacked to issue unauthorized certificates for “high value” sites. Because the DigiNotar CA is a trusted CA, the browser blindly trusts any certificate it issues and does not warn the user. Combined with a compromised Domain Name System (DNS) or a hostile proxy, the user's traffic is open to exploit.
Due to the way a public key infrastructure (PKI) certificate is validated, a compromised CA is difficult to detect, especially for individual end hosts. In the DigiNotar case it took over a month for the first sign of breach to be detected and up to 6 months for major browsers and operating systems to be patched.