Jim Rapoza


Upcoming Events

A Network Computing Webinar:
Avoiding Downtime: How Virtualization Can Help In Times of Trouble

June 12, 2013
11:00 AM PT / 2:00 PM ET

Are you caught between a desire for the benefits of the cloud and concerns about security and control? Then you should attend this insight-packed webinar to learn how private data networking technologies like MPLS IP-VPNs can address your concerns and allow you to safely and intelligently reap the savings, agility and other benefits associated with cloud computing.

Join us to hear top industry experts discuss the private data network technologies that are best suited for enterprise cloud access requirements. You won't want to miss this opportunity to learn how your organization can best mitigate risk while reaping the full potential benefits of the cloud.

Register Now!

More Events »

Subscribe to Newsletter

  • Keep up with all of the latest news and analysis on the fast-moving IT industry with Network Computing newsletters.
Sign Up

Vendor NewsFeed

More Vendor NewsFeed »

See more from this blogger

Certificate Authority Hack Points To Bigger Problems

Posted by Jim Rapoza
September 07, 2011

What with hurricanes, earthquakes and Kardashian weddings dominating recent media coverage, you may have missed the news about a recent security breach that clearly displayed a serious weakness in one of the core security mechanisms of the Internet.

Just a little over a week ago, it became clear that a major breach had occurred at Dutch certificate authority DigiNotar and that attackers had been able to issue fraudulent SSL certificates for a number of websites and government agencies (the story is in Dutch, the list is in English), including Google and U.S. intelligence agency websites. The breach actually occurred in mid-July but the extent of the breach only became apparent recently, and despite claims that DigiNotar had revoked the fraudulent certificates, it turned out that some, including the google.com certificate, had remained valid for weeks.

So what's the big deal? Well, for starters, SSL is the main way that things are secured on the Web, and one of the core methods for people to know that they are at the actual website they are visiting. That HTTPS connection in the browser makes people feel comfortable buying things with a credit card, and that bright green button, when the special Extended Validation certificates are present, on the browser address bar lets them know that it is actually their bank site and not a phishing site.

That is unless someone has issued a fraudulent certificate for that bank's website. Then the bright green button and the giant lock symbol on the browser bar mean nothing. And the fact that this happened in the Netherlands doesn't mean others should feel safe. The way the system is set up is that Web browsers accept the certificates issued by "trusted" authorities. This means that, if an attacker used the DigiNotar certificate for Google to stage man-in-the-middle attacks, then the attacker could have stolen the Google credentials of any users he targeted.

Right now it's not clear how far-reaching the effects of this breach are, and we might not really know for months. As we speak, most, but not all, major browser and operating system vendors have blocked the certificates involved in the breach. But that is really helpful only for users who regularly update. If you're still using an older browser, these fraudulent certificates could remain effective until you update or install a newer version.


Page:  1 | 2  | Next Page »


Related Reading

News

Commentary

Most Popular

On the Web

More Insights

White Papers

More >>

Webcasts

More >>

Network Computing encourages readers to engage in spirited, healthy debate, including taking us to task. However, Network Computing moderates all comments posted to our site, and reserves the right to modify or remove any content that it determines to be derogatory, offensive, inflammatory, vulgar, irrelevant/off-topic, racist or obvious marketing/SPAM. Network Computing further reserves the right to disable the profile of any commenter participating in said activities.

 
Disqus Tips To upload an avatar photo, first complete your Disqus profile. | Please read our commenting policy.
 
Vendor Comparisons
Network Computing’s Vendor Comparisons provide extensive details on products and services, including downloadable feature matrices. Our categories include:

Research and Reports

May 2013
Network Computing: May 2013

Video


WATCH: Bob Metcalfe Plans Ethernet's 40th

WATCH: CES 2013: It's A Wrap!

WATCH: Intel touts tablets, smartphones at CES 2013


View All Videos
Previous Page First Page Second Page Third Page Next Page

Most Popular

Stories Blogs

More Stories »

Upcoming Events

Featured Whitepapers

 
 
What's this?
More >>


Featured Reports

 
 
What's this?
More >>


BlogRoll

TechWeb Careers