Certificate Authority Hack Points To Bigger Problems
September 07, 2011
What with hurricanes, earthquakes and Kardashian weddings dominating recent media coverage, you may have missed the news about a recent security breach that clearly displayed a serious weakness in one of the core security mechanisms of the Internet.
Just a little over a week ago, it became clear that a major breach had occurred at Dutch certificate authority DigiNotar and that attackers had been able to issue fraudulent SSL certificates for a number of websites and government agencies (the story is in Dutch, the list is in English), including Google and U.S. intelligence agency websites. The breach actually occurred in mid-July but the extent of the breach only became apparent recently, and despite claims that DigiNotar had revoked the fraudulent certificates, it turned out that some, including the google.com certificate, had remained valid for weeks.
So what's the big deal? Well, for starters, SSL is the main way that things are secured on the Web, and one of the core methods for people to know that they are at the actual website they are visiting. That HTTPS connection in the browser makes people feel comfortable buying things with a credit card, and that bright green button, when the special Extended Validation certificates are present, on the browser address bar lets them know that it is actually their bank site and not a phishing site.
That is unless someone has issued a fraudulent certificate for that bank's website. Then the bright green button and the giant lock symbol on the browser bar mean nothing. And the fact that this happened in the Netherlands doesn't mean others should feel safe. The way the system is set up is that Web browsers accept the certificates issued by "trusted" authorities. This means that, if an attacker used the DigiNotar certificate for Google to stage man-in-the-middle attacks, then the attacker could have stolen the Google credentials of any users he targeted.
Right now it's not clear how far-reaching the effects of this breach are, and we might not really know for months. As we speak, most, but not all, major browser and operating system vendors have blocked the certificates involved in the breach. But that is really helpful only for users who regularly update. If you're still using an older browser, these fraudulent certificates could remain effective until you update or install a newer version.