Can Website Security Certificates Be Forged?

Can Website Security Certificates Be Forged? A Technical Analysis

Can Website Security Certificates Be Forged? A Technical Analysis

The Vulnerability at the Heart of Web Security

Every time you see a padlock icon in your browser’s address bar, you’re witnessing a complex trust system at work—one that’s designed to protect your data but has repeatedly proven vulnerable to sophisticated attacks.

The question isn’t whether SSL/TLS certificates can be forged, but rather how often it happens and what the industry is doing to prevent it.

How to Prevent Ransomware Infection Risks

Recent Threats Expose Critical Weaknesses

The WHOIS Validation Vulnerability (2024)

In August 2024, security researchers from watchTowr discovered a major vulnerability by registering an expired domain that was once the official home of an authoritative WHOIS server. Over 135,000 systems continued to query their rogue server, enabling potential issuance of counterfeit SSL/TLS certificates.

The incident specifically affected domains with the .mobi top-level domain and demonstrated how outdated infrastructure can create systemic security risks. WatchTowr Labs researchers found the server was communicating with 135,000+ unique systems and received 2.5+ million WHOIS queries over a six-day observation period—nearly 420,000 queries per day to the exploitable legacy system.

This discovery prompted immediate action from the certificate authority industry. On December 2, 2024, SSL.com discontinued the WHOIS-based email DCV method for SSL/TLS certificates due to security vulnerabilities. The industry is now implementing a phased elimination, with a complete ban on WHOIS-based validation taking effect by July 15, 2025.

Historical Breaches: A Pattern of Vulnerability

The forgery of SSL certificates is not theoretical—it has happened repeatedly with devastating consequences:

DigiNotar Breach (2011): An unknown attacker completely compromised DigiNotar and after obtaining full administrative access to all critical CA systems, issued rogue certificates for numerous domains. Over 500 fake certificates were detected, but the full extent of the breach remains unknown. A rogue wildcard certificate for google.com was used for mass interception of traffic from Iranian citizens. The Dutch certificate authority was subsequently declared bankrupt.

Comodo Incident (2011): A breach of a Comodo reseller’s credentials allowed attackers to issue trusted certificates for domains such as Google, Mozilla, and others.

Symantec Violations (2015-2017): Over a period of several years, Symantec willfully issued over 100 test certificates for 76 different domains without the authorization of the domain owners, discovered when Google’s Certificate Transparency log monitor detected an unauthorized certificate for google.com.

World’s First Self-Destructing SSD: T-CREATE EXPERT P35S Enables One-Button Data Destruction

How Certificate Forgery Occurs

Method 1: Compromising Certificate Authorities

The most serious threat comes from breaching the CAs themselves. Insufficient network segmentation and generally poor security practices allowed attackers to completely compromise DigiNotar after exploiting a vulnerability in a publicly-facing web server running out-of-date software.

With the current CA system, certification is only as robust as the weakest of the trusted CA, and that’s not very secure. Modern browsers trust over 250 certificate authorities, creating a large attack surface.

Method 2: Exploiting Validation Processes

TurkTrust mistakenly applied a security policy from their test environment to their production environment, causing unconstrained intermediate CA certificates to be issued instead of regular end-entity certificates. These intermediate certificates could then forge certificates for any domain on the internet.

Similarly, CNNIC, in violation of their certificate practice statement, willfully issued an unconstrained intermediate CA certificate to MCS Holdings, an organization with no certificate practice statement or technical infrastructure whatsoever to operate a certificate authority.

Method 3: Man-in-the-Middle Attacks Using Forged Certificates

Research analyzing over 3 million real-world SSL connections to Facebook found that 0.2% of the SSL connections were tampered with forged SSL certificates, most of them related to antivirus software and corporate-scale content filters. While many of these instances involve legitimate security tools, the same technique can be exploited by malicious actors.

Why You Need DNS over HTTPS or DNS over TLS to Protect Your Privacy?

The Scale of the Problem

The vulnerability is more widespread than many realize. According to Qualys SSL Labs, over 3% of live domains still serve certificates with critical misconfigurations, exposing them to attack vectors such as Man-in-the-Middle attacks, SSL stripping, and certificate forgery.

In an analysis of 100,000 global SSL certificate records, researchers found that many organizations still use WHOIS email as their primary method for domain control validation, despite its known security vulnerabilities. This puts approximately 40% of enterprises at risk of certificate-related security issues.

Cloudflare’s Worst Outage Since 2019: CEO Details What Caused the Massive Service Outage

Industry Response and Countermeasures

Certificate Transparency

One of the most effective defenses has been Certificate Transparency logs, which create a public, auditable record of all issued certificates. This system enabled Google to detect the unauthorized Symantec certificates and has become mandatory for certificates to be trusted by major browsers.

Validation Method Improvements

The CA/Browser Forum has proposed Ballot SC-080 V3, which will prohibit WHOIS-based domain validation effective July 15, 2025, requiring CAs to use more secure methods like DNS TXT records or constructed email addresses.

Shortened Certificate Lifespans

Starting March 15, 2026, certificate life cycles will begin to shorten drastically—from 367 days to 200, then 100, and finally just 47 days by 2029. Shorter validity periods limit the window of opportunity for exploiting compromised certificates.

How Close Are Quantum Computers to Breaking RSA-2048?

Protecting Yourself in an Imperfect System

While the industry works to strengthen the certificate ecosystem, users and organizations should take several precautions:

Verify certificate details: Don’t just look for the padlock icon. Click on it to examine the certificate’s issuer, validity period, and subject information.
Use Certificate Pinning: Organizations can implement certificate pinning to ensure their applications only accept specific certificates, preventing acceptance of fraudulent ones.
Enable DNS Security Extensions (DNSSEC): This adds an additional layer of verification to DNS queries.
Stay Updated: Ensure browsers and operating systems receive regular updates, as these often include responses to newly discovered threats.
Monitor for anomalies: Browsers could possibly detect many forged certificates based on size characteristics, such as checking whether the certificate chain depth is larger than one.

Understanding Zero-Day Vulnerabilities: How Hackers Exploit Windows Kernel Flaws

The Bottom Line

Yes, SSL/TLS certificates can be forged—and have been, multiple times throughout internet history. The trust model underlying web security relies on hundreds of certificate authorities, any one of which could be compromised or make mistakes. While the system generally works due to economic disincentives and improving security practices, it is not foolproof.

The recent WHOIS vulnerability and the industry’s swift response demonstrate both the ongoing nature of these threats and the certificate authority ecosystem’s ability to adapt. As encryption technology advances and certificate lifespans shrink, the window for exploitation continues to narrow—but vigilance remains essential.

The padlock in your browser isn’t a guarantee of perfect security. It’s a statement of reasonable trust in an imperfect system that’s constantly evolving to meet new challenges.

Can Website Security Certificates Be Forged? A Technical Analysis