Certificate Security Relies on Fragile Thread of Trust

 

Web browsers and other Internet programs rely on digital certificates to be sure that the servers displaying the Websites are legitimate. A Web browser can look at the digital certificate of a site and be assured that the Gmail site being displayed is actually being served up from Google servers and not from a malicious server intent on phishing.

If malicious perpetrators can trick the companies to issue certificates for legitimate sites, then they can launch man-in-the-middle attacks to steal data or eavesdrop on compromised users. There are over 600 trusted certificate authorities around the world, making the "trust system" a little unwieldy.

The encryption used in the certificates hasn't been broken and the existing system still does what it's supposed to do, James Lyne, director of technology strategy at Sophos, told eWEEK.  However, "how we've globally deployed this system and the fragile link of digital trust to the physical world causes the problem we see here," Lyne said.

Shortly after the Comodo attack, Melih Abdulhayoglu, the company's CEO, told eWEEK that the current CA system is "not working" because there are many "fly-by-night operators offering certificates for $10" that sign certificates without performing even the most minimal checks. Abdulhayoglu claimed Comodo had stringent checks in place and promised more controls, but that many companies aren't following the same processes.

To further strengthen the CA trust system, Comodo presented a proposal in April at the 80^th meeting of the Internet Engineering Task Force in Prague to create a new resource record in a Website's (Domain Name System) DNS record. The resource record would indicate which certificate authority the Website owner had designated as the "trusted" authority. Browsers can check the valid digital certificate and make sure it is signed by the authorized CA listed on the DNS record, Philip Hallam-Baker, Comodo vice president, said in the proposal.

At Black Hat, security researcher Moxie Marlinspike talked about a new way to bypass certificate authorities altogether. Convergence, currently available as a Firefox plug-in, relies on user-defined "notaries" instead.

The CAs have until Sept. 16 to respond to Mozilla. What Mozilla would do to any CA that chooses to not respond is anybody's guess.

"Participation in Mozilla's root program is at our sole discretion, and we will take whatever steps are necessary to keep our users safe," Wilson wrote.