Risks of SSL


This page is about the risks of relying on TLS/SSL encryption - which is currently the only universal encryption protocol supported by all web browsers when connecting to websites (the web browser typically displays then a lock on the address bar - trying to convince the user of the security of the connection - and may also show the protocol name 'https').  

On march 2017 Wikileaks published leaks from the hacking arsenal of the CIA (Central Intelligence Agency of USA). In some of those documents there are advices to malware writers: 'DO NOT solely rely on SSL/TLS to secure data in transit. Numerous man-in-middle attack vectors and publicly disclosed flaws in the protocol.' and  'Because this outer layer may be decrypted by an attacker (e.g., SSL Man-in-the-Middle) any transport encryption must be used for  traffic blending only and not for secrecy.'.

Previously on November 2011 the Wall Street Journal published the ‘Surveillance Catalog’ and  the WikiLeaks organization provided a list of International surveillance companies and their equipments on the ‘WikiLeaks Spy Files’ publication. Some examples from the brochures that describe the properties of the equipments: “It can also decrypt SSL traffic if installed in MITM (man-in-the-middle) configuration  ...”; “Track the suspect’s encrypted communication using Gmail, Hush mail etc., Track the suspects banking transactions etc.”; “Intercept any communication within Secure Socket Layer (SSL) or Transport Layer Security (TLS) sessions. Once in place, devices have the capability to become a go-between for any TLS or SSL connections ... users are lulled into a false sense of security afforded by web, e-mail or VoIP encryption.”;”But with a ‘man in the middle,’ the … technology is able to intercept the traffic and the certificate and send along its own fake certificate to the computer, making the computer think traffic is flowing normally.”

Read below a detailed explanation of how this is possible.

When a user connects to a HTTPS - SSL or TLS server, the server sends a certificate to the user which ensures to the user that he really is connecting to the wanted server. How can a certificate do that? The owner of the server has – before starting his services - contacted a Certificate Authority (CA) and proved to him that he owns and controls the server.  The owner of the server has sent a public key of the server to the CA and the CA has signed this public key using the private key of the CA. When a user receives the certificate his web browser checks that the CA’s signature is valid using the stored public keys of the well known CA. There are about 600 CAs and current web browsers store their public keys and also update them if that is needed. When the CA’s signature has been checked then the user’s browser checks that the data coming from the server has a valid signature which is signed by the public key of the server (which is in the certificate)

Note that currently any CA can issue a certificate for any website. If the CA decides so it can write a certificate for any website and can use any public key as the public key of the server – this is against the rules but no one can prevent the CA from actually doing this. It may also happen that no one notices these actions – certificates are not normally shown neither are they stored for later inspection. An improvement to this situation is the Certificate Transparency project started by Google which is explained in more detail later in this chapter. 

There is special equipment available that is placed in the middle of the communication between the user/victim and the server. These devices are designed to use also intermediate level CA certificates – they can generate the needed certificates as a need arises1

Following are certificate related attacks:

  1. CA (established for the purposes of intelligence gathering for a country A’s intelligence agency) issues a certificate for a server in a country B to a public key of this intelligence agency.

  2. CA has been hacked. The attacker has obtained the private key of the CA and can issue certificates which the user’s web browser decides to be valid.2

  3. CA has been forced (by an order from the country’s authorities) to issue a certificate for the public key of the attacker (law enforcement). This is called ‘compelled certificate creation attack’3.

  4. The private key of the SSL server has been exposed. If the server has not been configured to use Perfect Forward Secrecy (PFS) the recorded old SSL sessions can be decrypted. If PFS is used a man-in-the-middle attack is required at session time for decryption of the traffic. The attack is now easier to do since no additional fake certificate is needed since server’s private key is known4. The Heartbleed vulnerability in OpenSSL that was found in April 2014 exposed server’s memory (private keys etc.). The bug was undetected in the code for 2 years but even older recorded SLL sessions  (without PFS) can be opened using an exposed private key5.

5.  The attacker uses a vulnerability in some software and then installs the attacker created certificate into a trusted certificate store on victim's computer - this enables the attacker to perform man-in-the-middle attack on victim's SSL/TLS web browsing sessions.  The attacker needs no software on victim's machine - the installed certificate enables the attack6

6.  The attacker succeeds in changing the DNS records in some of internet's DNS servers. After that the attacker requests new certificates for targeted domains and redirects the targets' traffic to attacker's servers. Now - because of the new certificates - the attacker can see e.g. unencrypted passwords to email servers. This kind of attack was revealed on November 2018 and targeted 50 Middle Eastern companies and government agencies. Use the term 'DNSpionage' to search for more information, see also this article by Brian Krebs.

Note that in many of these attacks the attacker does not need access to user’s computer or to the server. One has to consider also the possibility that also non law enforcement parties may have obtained the equipment for the man in the middle handling and can use it in the attacks. The attack number 1 is challenging because the traffic needs to be routed via another country, it is however possible to change the routing tables of Internet or hacked routers to achieve this.

The SSL attack can be tried on ‘normal’ SSL or TLS based email and webmail solutions and on email encryption solutions that are web-based. There are also Virtual Private Network solutions that use the web browser and SSL. The attack on these systems can be tried always when the SSL connection is done. Web based systems usually use marketing argument that no software is needed on user’s computer because only a web browser is needed.

EndCryptor encrypts the message before contacting an email server; even a successful SSL attack cannot expose the message. In case of EndCryptor the attacker thus can only gain the userid and password to the email server. EndCryptor also stores every certificate it receives, they can later be analyzed if an SSL attack is suspected. EndCryptor can be configured so that when it connects to an email server using SSL it accepts only certain already received certificates – this prevents the attack, the dishonest certificate has not been seen before and is rejected. This technique is called certificate pinning.

There are also devices and software that do SSL DPI (SSL Deep Packet Inspection, another term used is ‘SSL bridging’) inside a specific company using the man-in-the-middle method to decrypt SSL traffic flowing in and out of the company. Also some firewalls, antivirus and parental control programs can be configured so that they decrypt and re-encrypt the SSL traffic in order to examine the decrypted traffic. In these settings an intermediate level certificate is placed into the man-in-the-middle device or software and its root certificate created by the company is placed into company’s computers7- thus only this company’s traffic can be monitored without users noticing anything. If the user’s computer does not contain company’s certificate then user’s web browser issues a warning – which the user, however, may choose to bypass (this depends on the browser and its settings)8. On mobile devices certain browsers (Nokia’s Xpress Browser on old Nokia devices and Opera Mini browser) use man-in-the-middle technique to decrypt and re-encrypt SSL/TLS traffic in a proxy server, the motivation is to compress data and lessen the computing resources needed on the mobile device.

The man-in-the-middle attack is also explained in our tutorial on public keys.

The Certificate Transparency project by Google tries to improve the certification infrastructure. According to https://www.certificate-transparency.org/benefits: ”Indeed, incidents that at one time were concealed and downplayed, and in fact caused the shutdown of an entire CA, could be exposed much earlier and mitigated by simply revoking a single certificate.”

This project tries to log all CA issued SSL/TLS certificates in the world, major CAs take part of it and also search engines may submit certificates they see into the logs. Certificates issued after April 30, 2018 will not be accepted as secure by the Chrome browser unless they have a signed statement (a Certificate Transparency extension embedded into the certificate) that the certificate will be logged.

An owner of a domain (e.g. example.com) can query from the logs all the certificates issued to a domain and check that there are only proper ones. The logging of certificates is not done to local certificates that are not created by a publicly accepted CA (Certification Authority) and that are added to the certificate store of user’s computer by the user or by some program like antivirus, firewall and parental control program or malware.

Encryption solutions relying on SSL/TLS  when communicating to servers do  not necessarily follow the same practice as browsers i.e. require  proper Certificate Transparency extension in the certificate.


1. Certificate Authority Trustwave admitted on February 4, 2012 that they had given one private customer an intermediate certificate authority certificate inside a special machine which generated certificates for any website. This was done to decipher and monitor all company’s online SSL/TLS communication regardless whether the users' devices used were company provided or not – because the certificate was issued by a Certificate Authority no new certificates were needed in users’ computers.

On January 3, 2013 Google reported that they had on December 24, 2012 detected an unauthorized digital certificate for the "*.google.com" domain. The certificate was issued by an intermediate certificate authority linking back to TURKTRUST, a Turkish certificate authority. Intermediate CA certificates carry the full authority of the CA, so anyone who has one can use it to create a certificate for any website they wish to impersonate. See Google’s blog entry. TURKTRUST told Google that in August 2011, they had mistakenly issued two intermediate CA certificates to organizations that should have instead received regular SSL certificates. Please note that this kind of certificate is exactly that kind of certificate that can be used in the man-in-the-middle machines to monitor any intercepted  traffic to any website, the fake certificates generated by this intermediate certificate may have been used during about 16 months.

2. Certificate Authorities can be targeted by viruses, e.g. Duqu targeted certificate authorities and used stolen and forged certificates for its purposes. Electronic Frontier Foundation’s SSL Observatory project report (2011-10-27) that the following reasons for certificate revocations were found in Certificate Revocation Lists:





Affiliation Changed


CA Compromise


Certificate Hold


Cessation Of Operation


Key Compromise


Privilege Withdrawn






The researchers say (2011-10-27) that: “In at least 248 cases, a CA chose to indicate that it had been compromised as a reason for revoking a cert. Such statements have been issued by 14 distinct CA organizations.” When the statistics from earlier 4 months are compared to above findings: “So, from this data, we can observe that at least 4 CAs have experienced or discovered compromise incidents in the past four months. Again, each of these incidents could have broken the security of any HTTPS website.”

3. The term ‘compelled certificate creation attack’ was introduced by Christopher Soghoian and Sid Stamm in their paper ‘Certified Lies: Detecting and Defeating Government Interception Attacks Against SSL’, Financial Cryptography and Data Security '11 March 2011. 

On December 2013 Google noticed that several unauthorized certificates were issued for Google’s domains. The certificates were issued by a French governmental certificate authority ANSSI who said that the issuing of the certificates was a human error.

On July 8, 2014 Google reported (https://security.googleblog.com/2014/07/maintaining-digital-certificate-security.html) that they had found fake certificates issued for several Google domains and one Yahoo domain and maybe for some other domains also. The issuer of the certicates was India’s National Informatics Centre. India’s Controller of Certifying Authorities said that the issuer’s issuance policies were compromised

On March 23, 2015 Google reported (https://security.googleblog.com/2015/03/maintaining-digital-certificate-security.html ) that an intermediate certificate authority based in Egypt had used an intermediate level certificate in a proxy to create certificates for user's SSL  sessions. The used intermediate level certificate was issued by  Chinese certification authority CNNIC.

4. Recent revelations of state level spying have emphasized the importance of PFS and some big service providers have started to use it. Note that PFS is just that what EndCryptor provides in email encryption: future attacks can’t expose old traffic. 

5. See www.heartbleed.com , "We attacked ourselves from outside, without leaving a trace. Without using any privileged information or credentials we were able steal from ourselves the secret keys used for our X.509 certificates, user names and passwords, instant messages, emails and business critical documents and communication."

6. This technique is mentioned in the leaked material of Hacking Team company that sells spyware to governments ad law enforcements who can easily perform the MITM attack by compelling the internet service providers to place the MITM machines at proper places.

7. The Web Debugging Proxy Fiddler uses the same technique to log all HTTPS traffic between a computer and the Internet. Another tool is SSLsniff which is designed to MITM all SSL connections on a LAN, and dynamically generates certificates for the domains that are being accessed on the fly.

8. Citizen Lab’s report Planet Blue Coat: Mapping Global Censorship and Surveillance Tools describes how SSL interception machines intended for legitimate use for monitoring a specific company’s traffic are also used by countries with a history of concerns over human rights.

Last updated on February 21, 2019.