Scenario 08: Certificate authority hack
Jump to navigation
Jump to search
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
fill this in!
== Scenario == === Keywords === Attribution, sovereignty, prohibition of intervention, surveillance, international human rights law === Facts === '''[F1]''' A company based in State A provides certificate authority services, including for government departments and agencies of State A. It has now been hacked by intruders, who assume control of the company’s certificate-issuing servers and, for several weeks, proceed to issue fraudulent certificates for private sector services, such as email or VoIP based telephony, but also for services related to the company register in State A (<b>incident 1</b>). Indicators of compromise (IoCs) point to the use of proxies (an unaffiliated group) in incident 1. '''[F2]''' The fraudulent certificates are later used in a massive man-in-the-middle attack to intercept free email communication of several hundreds of thousands of individuals in State A (<b>incident 2</b>). Available evidence shows that State B’s intelligence service ordered and paid the above-mentioned group to issue some of the fraudulent certificates, including to the company register in State A. State B's intelligence service then used the certificates in conducting its mass surveillance operation. '''[F3]''' Eventually, all of the certificates issued by the company are blacklisted by the major internet browsers, the attack is contained, and the company files for bankruptcy. '''[F4]''' State A and State B are State parties to the International Covenant on Civil and Political Rights (ICCPR).<ref>International Covenant on Civil and Political Rights (adopted 16 December 1966, entered into force 23 March 1976) 999 UNTS 171 ([https://www.ohchr.org/en/professionalinterest/pages/ccpr.aspx ICCPR]).</ref> === Examples === * [[DigiNotar (2011)]]
Please note that all contributions to International cyber law: interactive toolkit are considered to be released under the Creative Commons Attribution-ShareAlike 4.0 International (CC BY-SA 4.0) (see
International cyber law: interactive toolkit:Copyrights
for details). If you do not want your writing to be edited mercilessly and redistributed at will, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource.
Do not submit copyrighted work without permission!
(opens in new window)
Retrieved from "
Not logged in
What links here
Get shortened URL