Certificate authorities: the web’s security blind spot

Security experts are calling for a revamp of the web’s underlying security infrastructure after exposing critical flaws in the current certification system.

Certificate authorities: the web’s security blind spot

The public-key infrastructure (PKI) system that validates websites via certificates is a major blind spot that could undermine trust in the internet if changes aren’t made – and soon. “We have a potentially big problem – we designed this protocol and infrastructure, SSL and PKI, back in 1994 and 1995, and essentially the evolution of the trust ecosystem stopped in 1995,” said Ivan Ristic, a co-founder of the non-profit Trustworthy Internet Movement.

The concern follows a series of attacks against certificate authorities (CAs) last year. Such authorities generate the cryptographic certificates that tell web browsers that content is originating from the website that it claims. If a CA is hacked, the perpetrator could impersonate any site in the world – as happened when Dutch CA DigiNotar was hacked and its certificates were used to spoof Gmail and other major websites. Comodo, another CA, was also hacked last year.

“The mistake that we made was not keeping the technology up to date, and last year we realised this through Comodo and DigiNotar,” said Ristic. DigiNotar was shut down as a result of the attacks, while Comodo said “only” seven fraudulent certificates had been issued, all for communications systems, such as Skype, Gmail, Yahoo and Windows Live.

According to research from Symantec, at least ten other CAs have also been targeted in recent months, while the Electronic Frontier Foundation (EFF) claims 248 compromised keys have been revoked due to CA compromise. “Hundreds of organisations are CAs, and each one of them has the power to authenticate any website on the internet to an end user,” said Dan Auerbach, a technologist with the EFF.

There’s no clear picture of the true number of CAs – the EFF estimates put the figure at anything up to 650 – and compromising any CA lets hackers target any site. “Any CA that’s hacked will allow people to present a fake Gmail to end users,” said Auerbach. “This really isn’t a theoretical problem – for several months Iranian users were having Gmail traffic read [after DigiNotar was attacked].