Certificate Authority Hack Points To Bigger Problems

What with hurricanes, earthquakes and Kardashian weddings dominating recent media coverage, you may have missed the news about a recent security breach that clearly displayed a serious weakness in one of the core security mechanisms of the Internet.

Just a little over a week ago, it became clear that a majorbreach had occurred at Dutch certificate authority DigiNotar and that attackers had been able to issue fraudulent SSL certificates for a number of websites and government agencies (the story is in Dutch, the list is in English), including Google and U.S. intelligence agency websites. The breach actually occurred in mid-July but the extent of the breach only became apparent recently, and despite claims that DigiNotar had revoked the fraudulent certificates, it turned out that some, including the google.com certificate, had remained valid for weeks.

So what's the big deal? Well, for starters, SSL is the main way that things are secured on the Web, and one of the core methods for people to know that they are at the actual website they are visiting. That HTTPS connection in the browser makes people feel comfortable buying things with a credit card, and that bright green button, when the special Extended Validation certificates are present, on the browser address bar lets them know that it is actually their bank site and not a phishing site.

That is unless someone has issued a fraudulent certificate for that bank's website. Then the bright green button and the giant lock symbol on the browser bar mean nothing. And the fact that this happened in the Netherlands doesn't mean others should feel safe. The way the system is set up is that Web browsers accept the certificates issued by "trusted" authorities. This means that, if an attacker used the DigiNotar certificate for Google to stage man-in-the-middle attacks, then the attacker could have stolen the Google credentials of any users he targeted.

Right now it's not clear how far-reaching the effects of this breach are, and we might not really know for months. As we speak, most, but not all, major browser and operating system vendors have blocked the certificates involved in the breach. But that is really helpful only for users who regularly update. If you're still using an older browser, these fraudulent certificates could remain effective until you update or install a newer version.One of the biggest issues to me is to what extent this single breach reaches. The Dutch government was heavily impacted due to its use of DigiNotar for government services. And, of course, any sites or businesses that found themselves on the list of fraudulent certificates will need to ensure they and their customers weren't targeted. There is also speculation that this was an incident of cyberwarfare, as some evidence points to the attacker as being based in Iran.

But what does this mean to businesses? If you do find yourself on the listof compromised certificates, you need to do an audit of your access logs and also encourage users and customers to make sure they have updated browsers that are revoking the fraudulent certificates.

For the rest of us, all I can say is to remember that SSL and digital certificates are not a perfect solution. All it takes is one incident like this to show how much Internet security is based on a house of cards.

Hopefully, this incident will lead to some reform of the certificate authority structure. There definitely needs to be more protections in place to make sure that, when this happens again, the response will be quick and effective and the breached authority won't be able to sit on the information like DigiNotar did.

There's an old saying that goes, "Who watches the watchers?" Right now, we need to be asking, "Who certifies the certificate authorities, and who will make sure that our Internet communications are as secure as they can be?"