The Electronic Frontier Foundation's Peter Eckersley has been monitoring the revocation of SSL certificates as a way of figuring out how often the 600+ certificate authorities are hacked. A hacked CA is bad news, because bogus certificates issued by these compromised authorities can be used to undetectably trick your browser into thinking it has a secure connection to your bank, your government, or the update site for your browser:
The most interesting entry in that table is the "CA compromise" one, because those are incidents that could affect any or every secure web or email server on the Internet. In at least 248 cases, a CA chose to indicate that it had been compromised as a reason for revoking a cert. Such statements have been issued by 15 distinct CA organizations. A previous scan, conducted in June this year, showed different numbers…
Those "CA Compromise" CRL entries as of June were published by 10 distinct CAs. So, from this data, we can observe that at least 5 CAs have experienced or discovered compromise incidents in the past four months. Again, each of these incidents could have broken the security of any HTTPS website.
How secure is HTTPS today? How often is it attacked? | Electronic Frontier Foundation
