Digital Certificates Only Provide the Illusion of Security

Monday, April 11, 2011

Headlines

69dafe8b58066478aea48f3d0f384820

Systemic weaknesses and a general lack of oversight governing the process used to issue digital certificates, key to the secure sockets layer (SSL) standard used to validate legitimate websites, has some security experts warning that SSL may be hopelessly ineffective.

“Right now, it's just an illusion of security. Depending on what you think your threat is, you can trust it on varying levels, but fundamentally, it has some pretty serious problems," said security researcher Moxie Marlinspike, who has extensive experience in finding technical flaws in SSL.

Some of the recent instances of SSL security lapses include:

Digital certificates are used by internet browsers to recognized legitimate websites and protect surfers from inadvertently exposing themselves to malware, phishing scams, impostors and spoofed landing sites.

The certificates are issued by only a handful of companies known as Certificate Authorities, such as VeriSign, GoDaddy, and the recently compromised Comodo.

“The current security of SSL depends on these external entities and there's no reason for us to trust them. They don't have a strong incentive to behave well because they're not accountable," Marlinspike said.

Other security experts agree that the issue comes down to accountability, and that CA's face no serious repercussions for a lack of due diligence in the issuing of digital certificates.

“In terms of what the CAs do, it seems like it's a bit of the old west. It doesn't seem like anyone is holding them accountable, even when something as severe as the Comodo incident happens," said senior consultant Mike Zusman of security firm Intrepidus Group.

The lack of accountability in the industry could lead to the issuing of certificates that present criminal enterprises with the opportunity to conduct large scale targeted cyber attacks that threaten businesses and their clientele.

An improperly issued digital certificate for an unqualified domain name would allow an attacker to conduct exploits accompanied by validly signed and authenticated certificates.

“What if an attacker were able to receive a CA-signed certificate for names like 'mail' or 'webmail'? Such an attacker would be able to perfectly forge the identity of your organization's webmail server in a 'man-in-the-middle' attack," said the EFF's Chris Palmer.

Attempts to improve SSL security by internet browser providers is thwarted by the fact that blacklisting the root certificates for companies that have a record of issuing bad certificates would mean also blocking access to all the websites who have obtained valid certificates from the same companies.

So for now, one has to expect some risk in a system that is full of holes.

Source:  http://www.theregister.co.uk/2011/04/11/state_of_ssl_analysis/

Possibly Related Articles:
6983
Vulnerabilities
SSL Browser Security Digital Certificates internet Headlines VeriSign Comodo
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.