It’s a mistake to think that the core security issues on the internet are purely technical issues. They are not. Security on the Internet is largely a problem of the trust relationships linking several components:
- The trust a user has in the browser and its capacity to deliver reliable information, while protecting the user;
- The trust between a browser and its trusted certificate authority (CA) list ;
- The trust that the entire IT industry has with respect to the various certificate authorities (CA) and their ability to reliably authenticate certificate owners, to verify their information and to technically protect the underlying mechanism.
If only one element of the trust chain is broken, the entire security model is at risk, as this has been demonstrated recently:
- Eddy Nigg, founder of StartCom, has revealed that certstar, a reseller for the Comodo certificate authority was not verifying the provided information before signing SSL certificates (and certstart was using suspicious renewal scams to get more customers). Eddy easily obtained a certificate for the mozilla.com domain with no relationship with that organization. Comodo reacted immediately once the information had been revealed, revoking the certificate and launching an internal investigation into certstar. Mozilla is seeking stronger assurances from Comodo that they are doing their job professionally, and has threatened to remove Comodo from its trusted CA list if this is not the case.
- A group of researchers presented their work on the creation of a rogue CA certificate, recognized as trusted by the various browsers, and which can be used to generate an on-demand certificate for any secure website at the 25th CCC conference (Chaos Communication Congress). The technique exploits known weaknesses in the MD5 algorithm, still used by some authority certifications. Using a cluster of 200 PS3s, they can relatively rapidly generate a CA certificate with the same MD5 hash value as a RapidSSL certificate signed at their request. With this sort of certificate, they are able to impersonate any secure web site to launch man in the middle attacks. Verisign reacted immediately, banning the use of MD5 by its certification authorities to prevent a possible reproduction.
So it’s clearly difficult for users to be sure they can trust a web site even with all the trust indicators given by his browser. An up-to-date browser and checking of every certificate (using OCSP) remains the best way to surf with low risk. And be sure of what you are doing before accepting an untrusted certificate because basic MITM attacks exist in the wild.
