Recent breaches have tarnished this Web security technology. Here are five ways to keep it going. By Paul Roberts ne year ago, Gmail users in Iran woke up to a chill- mount a “man in the middle” attack to intercept thority in Beverwijk, Netherlands. DigiNotar ad- ing prospect: Their sensitive and supposedly se- and decrypt email sent to Google’s servers before mitted that it had been the victim of a cyberat- cure communications on Google’s email program passing the messages along to the intended tack a month earlier whereby the attackers gen- may have been tapped by unknown parties. A recipients. erated hundreds of bogus certificates in the Ophony digital certificate in Google’s name was In the search for the source of the phony certifi- names of some of the Internet’s most trusted used to impersonate the site and let the culprits cate, all eyes turned to DigiNotar, a certificate au- brands, including Google, Yahoo, Skype and the darkreading.com Copyright 2012 UBM LLC. Important Note: This PDF is provided solely as a reader service. It is not intended for reproduction or public distribution. For article November 2012 3 reprints, e-prints and permissions please contact: Wright’s Reprints, 1-877-652-5295 / [email protected] anonymity network Tor. Use of the fraudu- CA Compromises Come In Many Flavors lent certificates was concentrated among There’s more than one way for attackers to obtain fraudulent certificates that can be used to impersonate legitimate Iranian users, leading to speculation that the websites. This diagram presents various scenarios. D CA Key Theft: Steal attack was linked to that country’s intelli- or derive copy of gence ser vices, which have been cracking certificate authority private key and issue down on political dissidents. RA Compromise: fraudulent certificates The DigiNotar attack was the worst security Infiltrate registration authority or steal compromise at a certificate authority to date. credentials and authorize fraudulent Certificate But it was hardly the only such attack. It Authority certificates B came just months after an attack on a busi- Impersonation: Trick Registration ness affiliate of Comodo, a New Jersey CA. In registration authority Authority that incident, the attackers generated phony into issuing a fraudulent C certificate A certificates also in the names of prominent CA System online brands. Compromise: Use malware or other These successful attacks were earth shaking infiltration tactic to get because digital certificates and the encryp- fraudulent certificate signed by certificate Hacker tion keys they represent are the bedrock of In- authority (without ternet communications. They secure every- getting copy of CA key) thing from VPN connections to protocols such as TLS (Transport Layer Security) and SSL (Se- organizations before issuing digital certifi- der attack from sophisticated and possibly cure Sockets Layer) that protect billions of cates that contain the public and private en- nation-backed hacking crews, exposing Web sessions and online transactions daily. At cryption keys used to secure online ex- security lapses and poor internal controls. the heart of this system is a global public key change of information. The current system leaves security-con- infrastructure network of some 300 CAs en- At least that’s how it's supposed to work. scious businesses in a pinch. More than ever, trusted with issuing certificates to individuals As the DigiNotar attack revealed, CAs aren’t they need secure and reliable identity services and organizations. Fort Knox-style identity vaults but rather are to back up their growing online presences, Certificate authorities are gatekeepers. businesses subject to their own security but the system in place is more vulnerable They verify the identities of individuals and mishaps. In the last year, CAs have come un- than ever. darkreading.com November 2012 4 What’s to be done? Many experts say certifi- CAs, letting them issue cer tificates that are site that offers a suspicious or expired cer- cate technology still has a future and that se- accepted worldwide. Microsoft alone recog- tificate. If you need a certificate for a website curity-conscious organizations can protect nizes more than 300 CAs linked to more or other purposes, companies such as themselves by understanding the gaps in the than 80 organizations, says Hurst, who man- VeriSign and Go Daddy make buying system and taking common-sense steps to aged that company’s root server and other one easy and affordable. avoid them. cryptographic initiatives for close to a Convenience aside, all of those private and decade. commercial CAs make for a rickety identity A Disjointed Ecosystem Most Internet users have only a passing fa- infrastructure, says Craig Spiezle, executive DigiNotar’s compromise and the resulting miliarity with this global system of online director and founder of the Online Trust Al- collapse of that certificate authority exposed trust. Most major online service providers of- liance, a nonprofit that promotes privacy, se- deep cracks in the global PKI system. Chief curity and identity best practices. “So much among them is the sheer number of organi- of the Internet relies on SSL and the whole “So much of the Internet relies on zations with a license to issue certificates and chain of trust,” Spiezle says, “but it’s a vouch for online identities. SSL and the whole chain of trust, confusing, convoluted and disjointed An offshoot of the development of SSL by but it’s a confusing, convoluted ecosystem.” Internet pioneer Netscape, CAs were envi- and disjointed ecosystem.” First, there’s no single list of supported root sioned as highly secure and single-purpose CAs. Instead, each browser platform has its — Craig Spiezle, Online Trust Alliance facilities, akin to passport offices, says Ryan own policies for selecting the root CAs it rec- Hurst, a cryptography expert and CTO at ognizes. That means each browser supports GlobalSign, a CA. fer their users the option of communicating a slightly different mix of CAs, with lots of As use of the Web and e-commerce ex- over encrypted connections; many even re- overlap, says Serge Egelman, a security re- ploded, however, the job of issuing certifi- quire it. The major browsers offer Web users searcher at the University of California, Berke- cates turned into a business — and a prof- clear visual cues to let them know when a ley. Second, the sheer number of competing itable one. Dozens of companies entered the particular session is protected using SSL or CAs has created a race to the bottom, he says, market, led by firms such as VeriSign (now some other encryption method. These cues putting financial pressure on companies to owned by Symantec). National govern- include the well-known “padlock” icon in cut corners. ments, large corporations and commercial the URL bar. Browsers keep track of rep- Further down the chain of trust, browser certificate vendors set up their own root utable CAs and warn users when they visit a makers such as Microsoft, Google and the darkreading.com November 2012 5 Mozilla Foundation worry that they’ll drive attackers then used that account to generate berg. Poorly implemented SSL and certificate fickle users to other platforms if they issue too nine fraudulent certificates, signed by Co- infrastructure within organizations is also a many security alerts and warnings, so they modo, for seven domains, including big problem. bundle into their software a liberal list of CAs google.com and yahoo.com. SSL Pulse, a real-time online dashboard whose certificates they accept. This approach In an age of nation-backed attacks, certifi- that surveys the security of close to 200,000 lessens the likelihood users will get an irritat- cate CAs with ties to authoritarian regimes SSL-enabled websites, documents the over- ing error or warning message when connect- also bear scrutiny. Felix Lindner, the hacker all health of the SSL eco sys tem based on ing to a website, but it also increases the known as FX, says travelers connecting to several measures, such as proper configura- chances that certificates from a compromised online services within China should treat tion and the strength of the encryption keys or disreputable CA will be trusted, Egelman even secure Web sessions there with skepti- used to sign certificates. Close to 40% of the says. cism. “We’ve seen [fraudulent] certificates sites that are monitored support weak or in- Having so many companies with a hand in that checked out as valid on iPhones and secure cipher suites of 128 bits or less, while issuing certificates also extends the risk. That other Apple devices for sites like mac.com,” about a third still support the 17-year-old was evident in the case of fraudulent certifi- he says. “Your little lock icon is not good in SSL v2.0 protocol, which is known to be in- cates issued by Comodo, in which attackers China.” secure, according to SSL Pulse. compromised an administrative account at a In response, Microsoft and other vendors Comodo reseller, which was acting as a regis- Poor SSL Implementation are putting pressure on software publishers tration authority, a sort of subordinate CA. The Compromised CAs are just the tip of the ice- and downstream websites to clean up their Certificate Authorities Under Attack Jan. 2001 July 2003 aug. 2008 Dec. 2008 March 2011 May 2011 June 2011 June-Sept. 2011 Sept. 2011 nov. 2011 Feb. 2012 Sept. 2012 VeriSign issues Thawte warns Thawte issues Comodo issues Comodo issues Flame malware StartSSL CA DigiNotar CA Researchers Dutch CA KPN Trustwave is Researchers release Microsoft code customers of certificate for Mozilla.org nine counterfeit authors forge compromised. compromised, reveal details of says it will cease caught issuing Crime attack, signing certificate doppelganger Live.com, a certificate to Start- certificates Microsoft CA 531 fraudulent Beast attack on operations “skeleton key” allowing hijacking to a non-Microsoft certificates.