This page contains a Flash digital edition of a book.
THIS MONTH INSIDER action... IS THE INTERNET’S CIRCLE OF TRUST FUNDAMENTALLY FLAWED?


A hacker got their hands on fraudulent website security certificates earlier this year, calling the reliability of the certification system into doubt


MANY consumers are rightly wary of entering their credit card details or personal data into websites they do not trust. A common way for website operators to earn that trust is to apply for a security certificate, which tells the user’s browser that the site is secure.


These security certificates are issued by certification authorities (CAs), and the reliability of the system hangs on whether these authorities can themselves be trusted. However, in March 2011 it emerged that a hacker, who claimed to have been operating in Iran, had successfully infiltrated one of the large CAs, named Comodo, and fraudulently acquired a number of security certificates. This would have


theoretically allowed them to set up phishing or malware- infected websites, and web


certification system is flawed, as the certification authorities are themselves vulnerable to attack. Others observed, however, that the system of certificate revocation had been successful, and that there was minimal actual damage. Whether or not the


browsers would have identified the sites as being trustworthy. In the event, Comodo identified the leak, and instructed web browser makers including Microsoft, Google and Mozilla to patch their browsers so the certificates in question were no longer


reaction...


trusted, a process known as certificate revocation. The incident came to light after Jacob Appelbaum, a security researcher for online anonymity group Tor, noticed that the newly blacklisted certificates had all been issued by the same authority. Appelbaum saw the breach as evidence that the security


certification system needs to be upgraded or replaced, the Comodo incident has shown once again that no security measure can be trusted complacently. And experts say it exposed the fact that many businesses had little understanding of the system, and no precautions for the event of their certificates being hijacked.


For organisations that collect sensitive data from customers through their websites, it seems that maintaining trust online might not be as easy as first thought.


Peter Wood, from the London Chapter of the ISACA Security Advisory Group, says the incident does not call the SSL certification system into question


The fact that an Iranian hacker was able to get Comodo to issue certificates for fake sites does not mean that the SSL certification system is flawed. The hacker did not break the SSL algorithms but rather exploited a hard-coded username and password at one of Comodo’s affiliates. This is why the SSL system


includes certificate revocation, to ensure that fraudulent certificates can be made invalid and thus worthless. We will continue to see configuration errors like this whenever human beings are involved – the trick is to have processes in place to mitigate the problem and to learn from each incident, not to throw the baby out with the bath water.


www.information-age.com


Paul Turner, of security certificate management


vendor Venafi, argues that enterprise organisations rarely understand how the security certificate system works


One big problem with the certificate management system is that even sophisticated IT staff don’t always have a strong grasp of how certificates work and what to do in an emergency. If you believe that Comodo won’t be the last CA to be targeted or breached, the question is how to


respond to a report of a forged certificate. Having a clearly written plan and methodology for being able to


respond to emergencies can save a lot of time. Ideally, your organisation should have means for quickly replacing affected certificates or switching, wholesale, from a compromised CA to another secure one.


INFORMATIONAGE APRIL2011 11


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40  |  Page 41  |  Page 42  |  Page 43  |  Page 44  |  Page 45  |  Page 46  |  Page 47  |  Page 48  |  Page 49  |  Page 50  |  Page 51  |  Page 52