Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

  1. Home
  2. Careers-and-certifications
  3. Tenuous-chains-trust-digital-certificates
  4. Page
  5. Tenuous Chains Of Trust In Digital Certificates: Page 2 of 2
Careers and Certifications

Tenuous Chains Of Trust In Digital Certificates: Page 2 of 2

Hot on the heels of RSA suffering an attack of unknown origin and resulting in a loss of unknown data with an unknown impact, news that certificate authority Comodo issued nine fraudulent certificates that browser vendors and OS vendors have had to issue a patch for highlights the fragility of the security systems that protect your data in transit across the Internet. In Comodo's case, neither the root CA nor any of Comodo's systems were compromised, according to its own incident report. Rather,
Mike Fratto
April 06, 2011

What I am doing is calling to question the very matter of trust on the Internet. The chain of trust between a SSL/TLS-enabled server is tenuous at best, and there are so many points where that trust can be subverted, often without the users' knowledge. A large part of our trust in SSL certificates lies with the certificate authorities and how they run their systems.

In Comodo's case, it discovered the problem on March 15 and on March 22 went public, coinciding with various browser vendors issuing patches to block the use of the certificates. Jacob Applebaum wrote an interesting analysis, Detecting Certificate Authority compromises and web browser collusion, before any of this went public. The analysis is worth a read, as are the comments.

I think Comodo went public in a reasonable amount of time. Shorter is always better, but seven days, I think, is acceptable. What isn't acceptable is why a patch was needed, anyway. Veracode's Chris Wysopal summed it up well: "So because browsers don't all have [Online Certificate Status Protocol] OCSP enabled by default, we need browser updates for the Comodo breach? Isn't that what OCSP is for? When Verisign erroneously issued certs for Microsoft in 2001, they couldn't be checked because there was no CRL distribution point. So Microsoft had to issue a patch to rectify the problem. We can't seem to get revocation right."

But that is a topic for another time.

Tags:

Commentary
Careers and Certifications
Networking