For those in the know with computer security, skip this and read the article. For those who aren't read on.
Now here's a problem. Most people have NO idea what SSL is, or what a CA provider does for SSL. For the layman, SSL stands for Secure Socket Layer, or the security layer in your web browser of choice that is responsible for creating and maintaining the integrity of your "secure" web transactions, i.e., your online banking sessions, online purchases, iTunes account management, Amazon purchases, etc. When you ask your browser to initiate a secure session, the SSL layer talks to a CA, or Certificate Authority, to validate that the server you are connecting to is indeed valid. Legitimate companies are required to update their CA licenses every so often, where the Certificate Authority, such as Verisign, acts as a sort of escrow manager, validating the company, their server domain name, then assigning them an encrypted certificate that says "Hey, I am who I say I am. Come on in." Pretty fine and dandy on paper. In reality, it's just someone giving someone else money for an ID; however, it's something, and it's worked fairly well for the past couple of decades the web has been around.
Now enter this situation. Browsers automatically trust these authorities. In normal situations, this works. However, these CA's are now delegating their powers to subsidiaries, some of which are relatively unknown, and a small handful of which reportedly reside in what some view as shady parts of the world. That only applies to a few (and I mean FEW) companies, but enter this interesting proposition. What if someone (criminal, government agency, or other), managed to fake a certificate with one of these lesser known authorities? Matt Blaze has done some looking into the matter, and it seems it might be a little more possible than previously thought. While the government eavesdropping on your vacation itinerary doesn't seem like much, with good reason, if these tools fell into the hands of others, who knows what madness may ensue. It may be little more than paranoid rhetoric at this point, but it's rightful observation into the possibilities.
Now here's a problem. Most people have NO idea what SSL is, or what a CA provider does for SSL. For the layman, SSL stands for Secure Socket Layer, or the security layer in your web browser of choice that is responsible for creating and maintaining the integrity of your "secure" web transactions, i.e., your online banking sessions, online purchases, iTunes account management, Amazon purchases, etc. When you ask your browser to initiate a secure session, the SSL layer talks to a CA, or Certificate Authority, to validate that the server you are connecting to is indeed valid. Legitimate companies are required to update their CA licenses every so often, where the Certificate Authority, such as Verisign, acts as a sort of escrow manager, validating the company, their server domain name, then assigning them an encrypted certificate that says "Hey, I am who I say I am. Come on in." Pretty fine and dandy on paper. In reality, it's just someone giving someone else money for an ID; however, it's something, and it's worked fairly well for the past couple of decades the web has been around.
Now enter this situation. Browsers automatically trust these authorities. In normal situations, this works. However, these CA's are now delegating their powers to subsidiaries, some of which are relatively unknown, and a small handful of which reportedly reside in what some view as shady parts of the world. That only applies to a few (and I mean FEW) companies, but enter this interesting proposition. What if someone (criminal, government agency, or other), managed to fake a certificate with one of these lesser known authorities? Matt Blaze has done some looking into the matter, and it seems it might be a little more possible than previously thought. While the government eavesdropping on your vacation itinerary doesn't seem like much, with good reason, if these tools fell into the hands of others, who knows what madness may ensue. It may be little more than paranoid rhetoric at this point, but it's rightful observation into the possibilities.
UAE Man-in-the-Middle Attack Against SSL
Interesting:
Who are these certificate authorities? At the beginning of Web history, there were only a handful of companies, like Verisign, Equifax, and Thawte, that made near-monopoly profits from being the only providers trusted by Internet Explorer or Netscape Navigator. But over time, browsers have trusted more and more organizations to verify Web sites. Safari and Firefox now trust more than 60 separate certificate authorities by default. Microsoft's software trusts more than 100 private and government institutions.
Disturbingly, some of these trusted certificate authorities have decided to delegate their powers to yet more organizations, which aren't tracked or audited by browser companies. By scouring the Net for certificates, security researchers have uncovered more than 600 groups who, through such delegation, are now also automatically trusted by most browsers, including the Department of Homeland Security, Google, and Ford Motorsand a UAE mobile phone company called Etisalat.
In 2005, a company called CyberTrustwhich has since been purchased by Verizon gave Etisalat, the government-connected mobile company in the UAE, the right to verify that a site is valid. Here's why this is trouble: Since browsers now automatically trust Etisalat to confirm a site's identity, the company has the potential ability to fake a secure connection to any site Etisalat subscribers might visit using a man-in-the-middle scheme.
No comments:
Post a Comment