Systemic weaknesses and a general lack of oversight governing the process used to issue digital certificates, key to the secure sockets layer (SSL) standard used to validate legitimate websites, has some security experts warning that SSL may be hopelessly ineffective.
“Right now, it's just an illusion of security. Depending on what you think your threat is, you can trust it on varying levels, but fundamentally, it has some pretty serious problems," said security researcher Moxie Marlinspike, who has extensive experience in finding technical flaws in SSL.
Some of the recent instances of SSL security lapses include:
- In 2008 weakness in SSL certificates issued by a subsidiary of VeriSign were discovered
- In 2009, a PayPal credential continued to slip by Internet Explorer, Chrome and Safari browsers for more than two months after being exposed
- In 2010, a root certificate included in Mac OS X and Mozilla software went unmitigated for four days before RSA Security verified it issued the credential
- In 2011, Iranian hackers broke into the servers of a reseller of Comodo and forged digital certificates for Microsoft, Yahoo, Skype, and Google
- Also in 2011, an analyst from the Electronic Frontier Foundation discovered that CAs issued over 37,000 SSL credentials for so-called unqualified domain names, such as “localhost,” “exchange,” and “exchange01”
Digital certificates are used by internet browsers to recognized legitimate websites and protect surfers from inadvertently exposing themselves to malware, phishing scams, impostors and spoofed landing sites.
The certificates are issued by only a handful of companies known as Certificate Authorities, such as VeriSign, GoDaddy, and the recently compromised Comodo.
“The current security of SSL depends on these external entities and there's no reason for us to trust them. They don't have a strong incentive to behave well because they're not accountable," Marlinspike said.
Other security experts agree that the issue comes down to accountability, and that CA's face no serious repercussions for a lack of due diligence in the issuing of digital certificates.
“In terms of what the CAs do, it seems like it's a bit of the old west. It doesn't seem like anyone is holding them accountable, even when something as severe as the Comodo incident happens," said senior consultant Mike Zusman of security firm Intrepidus Group.
The lack of accountability in the industry could lead to the issuing of certificates that present criminal enterprises with the opportunity to conduct large scale targeted cyber attacks that threaten businesses and their clientele.
An improperly issued digital certificate for an unqualified domain name would allow an attacker to conduct exploits accompanied by validly signed and authenticated certificates.
“What if an attacker were able to receive a CA-signed certificate for names like 'mail' or 'webmail'? Such an attacker would be able to perfectly forge the identity of your organization's webmail server in a 'man-in-the-middle' attack," said the EFF's Chris Palmer.
Attempts to improve SSL security by internet browser providers is thwarted by the fact that blacklisting the root certificates for companies that have a record of issuing bad certificates would mean also blocking access to all the websites who have obtained valid certificates from the same companies.
So for now, one has to expect some risk in a system that is full of holes.