Computer scientists have uncovered direct evidence that a small but significant percentage of encrypted Web connections are established using forged digital certificates that aren't authorized by the legitimate site owner.
The analysis is important because it's the first to estimate the amount of real-world tampering inflicted on the HTTPS system that millions of sites use to prove their identity and encrypt data traveling to and from end users. Of 3.45 million real-world connections made to Facebook servers using the transport layer security (TLS) or secure sockets layer protocols, 6,845, or about 0.2 percent of them, were established using forged certificates. The vast majority of unauthorized credentials were presented to computers running antivirus programs from companies including Bitdefender, Eset, and others. Commercial firewall and network security appliances were the second most common source of forged certificates.
At least one issuer of certificates—IopFailZeroAccessCreate—was generated by a known malware sample that was presented 112 times by users in 45 different countries. The discovery helps to explain bug reports such as this one made to developers of the Chromium browser describing the mysterious inclusion of a TLS certificate on a large number of end users' computers.