What stops a hacker from installing its own CA certificate?

Installing a "trusted root" on a victim's computer requires local administrative rights. If the attacker can do that, then he has already won.

Hacking into the CA's server to obtain a fake certificate is a way for the attacker to be able to masquerade as various "trusted" servers and issuers (e.g. to make fake "signed" OS updates), in order to breach into user computers that are not easily reachable otherwise (Trojans work for some users, not for all). It is all a matter of escalation. A CA server is very sensitive because hacking it gives (more or less) automatic entry to millions of other computers.


You are assuming that trojan deployment is always possible. Assume that it is not, but that there are other methods at disposal to execute a man in the middle attack. For example a hacker has access to the victim router and can redirect DNS traffic to his own computer. Or a hacker gained access to a specific ISP DNS server and can then also spoof responses for queries like www.gmail.com and then provide a valid https site signed with apparently valid certificate.

Also if a hacker can deploy a trojan why would he even try to implement site spoofing at the victims computer when he can get, for example, the credentials to something by simply doing key logging.


By using false certificates you don't need to break into any computer apart from the CA's. Your certificates will then automatically be considered legitimate by all browsers. If the CA isn't adequately secured, this approach is surely easier than breaking into many computers and installing trojans on all of them.

To sum up: You are going to reach far more people by breaking into a CA. And even if you are targeting certain people (who might be very security conscious), they have no way of telling that they're dealing with false certificates.