Crossroads Blog | Institute National Security and Counterterrorism

Authentication, Cyber Exploitation

Who watches the watchmen: The Economist

On September 10th, 2011, the Economist reported on the controversy regarding the issuance of digital certificates.  The article pointed out that internet security is a top-down affair; users are told whom to trust by digital certificates which are issued by several hundred companies that pride themselves on their security.  It should all work fine in theory, but in practice the guardians of internet security badly need guarding themselves.  Many security analysts have compared the issuance of bogus certificates to the digital equivalent of burglars breaking into a locksmith’s shop. 

GlobalSign, one of the world’s biggest certificate authorities, temporarily stopped issuing certificates following new claims by an assailant under the name “Comodo Hacker.”  Comodo Hacker also broke into DigiNotar, hijacking its system and issuing hundreds of bogus certificates.  These bogus certificates allow hackers to impersonate supposedly secure websites.  Specifically, analysts worry that the fake certificates have been used to snoop on Iranian users of Gmail.  The hacking of DigiNotar has also compromised the Dutch government's websites for social-security, police, and taxation; Dutch citizens are now being urged to use pen and paper in dealing with the government.

Security pundits have long been ringing alarm bells about the possibility of such an attacks and believe that the system urgently needs an overhaul.  The article mentions a proposal "where new digital notaries that would perform regular scans of all secure servers on the internet.  Rather than relying on a built-in list of certificate issuers, as at present, browsers would instead match the certificates that a site presented to those in the notaries’ repository."  Google is currently testing a similar system that would one day be included in its Chrome browser.   

However, others are a bit more cynical.  Bruce Schneier, an internet-security expert, doubts that any such fix will work.  Mr. Schneier goes on to say that the problem is not technological, but rather, is about incentives.  Mr. Schneier believes that certificate authorities, governments, and broswer-makers have a strong interest in keeping the existing system, and thus, have no interest in mending it.  In effect, "discussing the relative merits of the proposed fixes to discussing what colour to paint tanks while in the middle of a battle."

The original article can be found here.

 

Leave a Reply

Bitnami