Black Hat Researcher Releases Tool to Bypass SSL Certificate Authorities
In light of the recent Comodo attack and other vulnerabilities in the Secure Sockets Layer system, security researcher Moxie Marlinspike released a Firefox add-on that allows users to bypass CAs altogether.
Researchers have long highlighted some of the security issues with the Secure Socket Layer system used to secure Internet communication. One of the issues happens to be one of trust as the SSL Certificate Authorities have been compromised in recent months, a researcher told Black Hat attendees.
The attack on certificate authority Comodo in March highlights the problems with the current CA system and the need for replacing it, Moxie Marlinspike, co-founder and CTO of Whisper Systems, said Aug. 4 at the recent Black Hat security conference in Las Vegas. An Iranian hacker claimed responsibility for the attack in which he managed to trick Comodo into issuing valid certificates for major Websites belonging to Google, Microsoft, Yahoo and Mozilla. Comodo did not face any lawsuits or suffer any other consequences for the incident, Marlinspike said.
For the SSL system to work properly, security, integrity and authenticity are needed, according to Marlinspike. Currently, the system doesn't work as well it was supposed to because authenticity is the weak link, he said. CAs have to ensure that sites are authentic and prevent man-in-the-middle attacks where malicious Web sites trick users into accessing a fraudulent page instead of the real site.
"The real story with the Comodo attack is that it's not unique," Marlinspike said, noting that it is "happening every day."
The SSL structure has not been fundamentally altered since the early 1990s, and Marlinspike claimed the original SSL authors told him the security technology used to secure Web communications was developed almost as an afterthought. The sheer number of certificate authorities-approximately 650, according to the Electronic Frontier Foundation - means there are plenty that can provide signed certificates to cyber-attackers or maliciously intercept Internet communications.
Comodo's feisty CEO Melih Abdulhayoglu agreed with Marlinspike's assessment in an interview with eWEEK earlier this year. While defending Comodo's security and practices, he offered a scathing commentary on "fly by night operators offering certificates for $10" without any verification process to ensure domain ownership.
Comodo is likely not as trustworthy as it should be, but there is nothing the user can do under the existing system, Marlinspike said. Removing Comodo, the second largest certificate authority, from the list of trusted authorities in the Web browser would mean the user would no longer be able to access "a quarter of the Internet," which is why browser vendors haven't already done so, he said.