P-W-U:CA Article

Secure Sockets Layer (SSL) is the protocol suite that underpins many security implementations, providing encryption between anything from customers and their financial institutions, to employees and their employer's secured systems containing trade secrets and process or even simple things as checking email. SSL provides protection against MiTM (Man in The Middle) attacks to prevent eavesdropping.

However when it comes to some implementations of SSL (say that of which is on your web browser or email client), there is currently a weakness, the Certificate Authority (CA) system. Certificate Authorities are the trusted ("trust" is a key word here) organizations that cryptographically sign certificates for internet services for identity verification. This is done by each CA having a private key and a public key. A service operator (say a web site owner) submits a certificate signing request to the CA and the CA signs it with their private key and is verifiable with their public key (which is installed into browsers/operating systems).

Now, the CA system induces a weakness because it depends too heavily upon a third party (again, the CAs) to be trustworthy and to have adequate controls on their internal signing systems and not to be subjected to adversaries. There has been many occasions to date where these CA systems have been broken into and have had their signing systems compromised, even high-profile industry names. The difficulty is that if enough trust a CA or if a CA has large enough clientele that they can never have their technological trust (that is the root certificates installed into operating systems and browsers) pulled even though socially in the information security industry their trust has ended. This leads to situations where CAs can become "Too big to fail".