Ericka Chickowski of DarkReading has an excellent article on The Future of Web Authentication which traces the evolution of the current system for issuing digital certificates and outlines the considerable problems therein.
Digital certificates such as SSL and TLS are used by internet browsers to recognized legitimate websites and protect surfers from inadvertently exposing themselves to malware, phishing scams, impostors and spoofed landing sites.
Digital certificates are issued by only a handful of Certificate Authorities, such as VeriSign, GoDaddy, and the recently compromised Comodo. An improperly issued certificate for an unqualified domain name would allow an attacker to conduct exploits accompanied by validly signed and authenticated certificates.
Systemic weaknesses and a general lack of oversight governing the process used to issue digital certificates, key to the standards used to validate legitimate websites, prompted some security experts to wonder if the system may be hopelessly ineffective.
“Right now, it's just an illusion of security. Depending on what you think your threat is, you can trust it on varying levels, but fundamentally, it has some pretty serious problems... The current security of SSL depends on these external entities and there's no reason for us to trust them. They don't have a strong incentive to behave well because they're not accountable" security researcher Marlinspike said last spring.
Other security experts agree that the issue comes down to accountability, and that CA's face no serious repercussions for a lack of due diligence in the issuing of digital certificates.
“In terms of what the CAs do, it seems like it's a bit of the old west. It doesn't seem like anyone is holding them accountable, even when something as severe as the Comodo incident happens," senior consultant Mike Zusman of security firm Intrepidus Group said previously.
Some instances of digital certificate security lapses include:
- In 2008 weakness in SSL certificates issued by a subsidiary of VeriSign were discovered
- In 2009, a PayPal credential continued to slip by Internet Explorer, Chrome and Safari browsers for more than two months after being exposed
- In 2010, a root certificate included in Mac OS X and Mozilla software went unmitigated for four days before RSA Security verified it issued the credential
- In 2011, Iranian hackers broke into the servers of a reseller of Comodo and forged digital certificates for Microsoft, Yahoo, Skype, and Google
- Also in 2011, an analyst from the Electronic Frontier Foundation discovered that CAs issued over 37,000 SSL credentials for so-called unqualified domain names, such as “localhost,” “exchange,” and “exchange01”
The lack of accountability in the industry could lead to the issuing of certificates that present criminal enterprises with the opportunity to conduct large scale targeted cyber attacks that threaten businesses and their clientele.
"You can get an SSL certificate for just about anything... the amount of people I have to trust without my consent is beyond what I would ever choose to trust, and in fact, just using a browser in and of itself means I don't even know who I trust," Chet Wisniewski of Sophos said.
Attempts to improve digital certificate security by internet browser providers is thwarted by the fact that blacklisting the root certificates for companies that have a record of issuing bad certificates would mean also blocking access to all the websites who have obtained valid certificates from the same companies.
In December of 2011, the Certification Authority/Browser Forum issued a set of baseline security requirements for authentication authorities to implement in an effort to bolster the effectiveness of secure sockets layer digital certificates.
The new guidance is not expected to have an immediate impact on website authentication, but they do represent a step in the right direction if the Certificate Authority system expects to remain relevant in the long run.
"Thus far, the browser manufacturers haven't shown a tremendous amount of interest in trying to get ahead of this problem and dealing with it once and for all... Anything that requires us to migrate the entire Internet to a different protocol isn't going to happen... Right now, particularly in this space, ideas are easy, but it's getting it done that's the hard part," Marlinspike said.