Close
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cloud
    • Cloud
    • Cybersecurity
    • Networking

    Black Hat Researcher Releases Tool to Bypass SSL Certificate Authorities

    By
    Fahmida Y. Rashid
    -
    August 8, 2011
    Share
    Facebook
    Twitter
    Linkedin

      Researchers have long highlighted some of the security issues with the Secure Socket Layer system used to secure Internet communication. One of the issues happens to be one of trust as the SSL Certificate Authorities have been compromised in recent months, a researcher told Black Hat attendees.
      The attack on certificate authority Comodo in March highlights the problems with the current CA system and the need for replacing it, Moxie Marlinspike, co-founder and CTO of Whisper Systems, said Aug. 4 at the recent Black Hat security conference in Las Vegas. An Iranian hacker claimed responsibility for the attack in which he managed to trick Comodo into issuing valid certificates for major Websites belonging to Google, Microsoft, Yahoo and Mozilla. Comodo did not face any lawsuits or suffer any other consequences for the incident, Marlinspike said.
      For the SSL system to work properly, security, integrity and authenticity are needed, according to Marlinspike. Currently, the system doesn’t work as well it was supposed to because authenticity is the weak link, he said. CAs have to ensure that sites are authentic and prevent man-in-the-middle attacks where malicious Web sites trick users into accessing a fraudulent page instead of the real site.
      “The real story with the Comodo attack is that it’s not unique,” Marlinspike said, noting that it is “happening every day.”
      The SSL structure has not been fundamentally altered since the early 1990s, and Marlinspike claimed the original SSL authors told him the security technology used to secure Web communications was developed almost as an afterthought. The sheer number of certificate authorities-approximately 650, according to the Electronic Frontier Foundation – means there are plenty that can provide signed certificates to cyber-attackers or maliciously intercept Internet communications.
      Comodo’s feisty CEO Melih Abdulhayoglu agreed with Marlinspike’s assessment in an interview with eWEEK earlier this year. While defending Comodo’s security and practices, he offered a scathing commentary on “fly by night operators offering certificates for $10” without any verification process to ensure domain ownership.
      Comodo is likely not as trustworthy as it should be, but there is nothing the user can do under the existing system, Marlinspike said. Removing Comodo, the second largest certificate authority, from the list of trusted authorities in the Web browser would mean the user would no longer be able to access “a quarter of the Internet,” which is why browser vendors haven’t already done so, he said.

      Firefox Add-on Bypasses Certificate Authorities

      “The truth is, somewhere along the line, we made a decision to trust Comodo”, Marlinspike said, adding, “And now we are locked into trusting them forever, and this is the essence of the problem”.

      The current system doesn’t support “trust agility,” or the flexibility to revise the list of who to trust and who not to trust, according to Marlinspike. Comodo may have been trusted at one point, but now it’s near impossible to remove from the list without making large swathes of Internet “disappear,” he said.

      Users also don’t have a choice of which certificate authorities to trust under the current CA system, Marlinspike said. When a user accesses a Website it connects to the CA authority, which authenticates the SSL certificate. Marlinspike wants to change the system so that the user decides which CA authority to connect with to authenticate the site’s certificate.

      Convergence, a Mozilla Firefox add-on released by Marlinspike, is intended to replace CAs. Instead of a certificate authority, there is a notary server that checks SSL authenticity on the user’s first visit to the site. Certificates are locally cached on the browser side and checked on repeated visits. As long as the certificates match, there is no need to access the notary server again. Web site administrators won’t have to make any changes to be available to users using the Convergence plugin to bypass CAs altogether, Marlinspike said.

      While Marlinspike’s ire was directed at Comodo, he distrusted all certificate authorities, including VeriSign. “There isn’t anyone doing a great job,” he said, noting that it wasn’t realistic to expect that any organization can look at sites “as carefully as necessary” to certify them.

      Other issues with SSL were highlighted during Black Hat. According to a survey from Qualys, a significant majority of supposedly SSL secured sites are not actually fully secured, Philippe Courtot, chairman and CEO of Qualys, told eWEEK. Organizations are implementing the security technology incorrectly, making the Websites insecure despite claiming to have SSL. Mixing encrypted and unencrypted data puts users at risk for session hijacking, for example.

      “If anyone is trying to convince you to use a trust system, you have to ask, who do I have to trust and for how long?” Marlinspike said at the end of his presentation.

      Fahmida Y. Rashid

      MOST POPULAR ARTICLES

      Cybersecurity

      Visa’s Michael Jabbara on Cybersecurity and Digital...

      James Maguire - May 17, 2022 0
      I spoke with Michael Jabbara, VP and Global Head of Fraud Services at Visa, about the cybersecurity technology used to ensure the safe transfer...
      Read more
      Big Data and Analytics

      Alteryx’s Suresh Vittal on the Democratization of...

      James Maguire - May 31, 2022 0
      I spoke with Suresh Vittal, Chief Product Officer at Alteryx, about the industry mega-shift toward making data analytics tools accessible to a company’s complete...
      Read more
      Big Data and Analytics

      GoodData CEO Roman Stanek on Business Intelligence...

      James Maguire - May 4, 2022 0
      I spoke with Roman Stanek, CEO of GoodData, about business intelligence, data as a service, and the frustration that many executives have with data...
      Read more
      Applications

      Cisco’s Thimaya Subaiya on Customer Experience in...

      James Maguire - May 10, 2022 0
      I spoke with Thimaya Subaiya, SVP and GM of Global Customer Experience at Cisco, about the factors that create good customer experience – and...
      Read more
      Cloud

      Yotascale CEO Asim Razzaq on Controlling Multicloud...

      James Maguire - May 5, 2022 0
      Asim Razzaq, CEO of Yotascale, provides guidance on understanding—and containing—the complex cost structure of multicloud computing. Among the topics we covered:  As you survey the...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2021 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×