False Certificates: CA Legal Liability

TL;DR

Yes, certificate authorities (CAs) can be fined and face legal action for deliberately issuing false certificates. The laws vary by jurisdiction but generally fall under fraud, misrepresentation, breach of contract, and increasingly, specific cyber security regulations. Proving intent is often the biggest challenge.

Understanding the Problem

A certificate authority’s job is to verify identities and issue digital certificates that prove a website or service is who they say they are. If a CA issues a certificate fraudulently – for example, without proper verification, or after being compromised – it can have serious consequences, including financial loss for users and damage to trust in the internet.

Legal Framework & Accountability

1. Fraud & Misrepresentation: Issuing a false certificate is fundamentally a misrepresentation of fact. This falls under common law fraud principles in many countries (including England, Wales, Scotland and Northern Ireland).
2. Breach of Contract: CAs operate under Certificate Practice Statements (CPS) and rely on Subscriber Agreements with the entities they issue certificates to. Issuing a fraudulent certificate violates these agreements.
3. Data Protection Laws: If the false certificate leads to a data breach, the CA could be liable under data protection legislation like the UK GDPR and Data Protection Act 2018.
4. Cyber Security Regulations: Increasingly, laws are specifically targeting cyber security failures. While not always directly addressing CAs, they can apply if negligence or deliberate action leads to harm. For example, the Network and Information Systems (NIS) Regulations 2018 could be relevant depending on the CA’s status as a critical infrastructure provider.
5. US Laws: In the US, Section 5 of the Federal Trade Commission Act prohibits unfair or deceptive acts or practices in commerce. The FTC has taken action against CAs for issuing fraudulent certificates.

Proving Liability – What Needs to be Shown?

It’s not enough that a false certificate was issued; you generally need to prove:

1. Intent or Negligence: This is the hardest part. Was the CA deliberately trying to deceive, or were they grossly negligent in their verification processes?
2. Causation: Did the fraudulent certificate directly cause harm (e.g., financial loss from phishing attacks)?
3. Damages: What specific losses did people suffer as a result of the false certificate?

Examples of Legal Action

• DigiNotar Case (2011): A Dutch CA, DigiNotar, was hacked and attackers issued fraudulent certificates for Google. This led to widespread man-in-the-middle attacks in Iran. The company went bankrupt due to the fallout and legal liabilities.
• Comodo Hacking Incident (2011): Comodo experienced a similar breach. While they weren’t bankrupted, they faced significant scrutiny and reputational damage.

What Can You Do If Affected?

1. Report the incident: Report the fraudulent certificate to your local cyber security authority (e.g., National Cyber Security Centre in the UK).
2. Document everything: Keep records of any financial losses, phishing attempts, or other harm you suffered.
3. Seek legal advice: Consult with a solicitor specialising in cyber law and data protection to understand your options.

Technical Checks (for identifying potentially fraudulent certificates)

You can use tools like OpenSSL to examine certificate details:

openssl s_client -connect example.com:443

Pay attention to the issuer, validity dates, and any warnings or errors reported by the tool.

Resources

• National Cyber Security Centre (NCSC): https://www.ncsc.gov.uk
• Information Commissioner’s Office (ICO): https://ico.org.uk