Electronic Frontier Foundation staff technologist Peter Eckersley has a good, in-depth analysis of the revelation that Iranian hackers acquired fraudulent SSL certificates for Google, Yahoo, Mozilla and others by spoofing Comodo, a major Certificate Authority. CAs are companies that are allowed to sell cryptographically signed certificates that browsers use to verify their network connections; with these spoofed certs, the hackers could undetectably impersonate Yahoo and Google (allowing them to read mail even if it was being read over a secure connection), the Mozilla certificate would allow them to slip malicious spyware onto the computer of anyone installing a Firefox plugin.
It appears that the fraud was detected before any harm could be done, but Eckersley explains how close we came to a global security meltdown, and starts thinking about how we can prepare for a more successful attack in the future.
Most Certificate Authorities do good work. Some make mistakes occasionally,2 but that is normal in computer security. The real problem is a structural one: there are 1,500 CA certificates controlled by around 650 organizations,3 and every time you connect to an HTTPS webserver, or exchange email (POP/IMAP/SMTP) encrypted by TLS, you implicitly trust all of those certificate authorities!
Iranian hackers obtain fraudulent HTTPS certificates: How close to a Web security meltdown did we get?
What we need is a robust way to cross-check the good work that CAs currently do, to provide defense in depth and ensure (1) that a private key-compromise failure at a major CA does not lead to an Internet-wide cryptography meltdown and (2) that our software does not need to trust all of the CAs, for everything, all of the time.
For the time being, we will make just one remark about this. Many people have been touting DNSSEC PKI as a solution to the problem. While DNSSEC could be an improvement, we do not believe it is the right solution to the TLS security problem. One reason is that the DNS hierarchy is not trustworthy. Countries like the UAE and Tunisia control certificate authorities, and have a history of compromising their citizens' computer security. But these countries also control top-level DNS domains, and could control the DNSSEC entries for those ccTLDs. And the emergence of DNS manipulation by the US government also raises many concerns about whether DNSSEC will be reliable in the future.
Wow. @CarnegieMellon is America's Shanghai Jiaotong. https://t.co/UAtaAgJvJh— Edward Snowden (@Snowden) November 11, 2015 Documents published by Vice News: Motherboard and further reporting by Wired News suggest that a team of researchers from Carnegie Mellon University who canceled their scheduled 2015 BlackHat talk identified Tor hidden servers and visitors, and turned that data over to the […]
LA Makerspace co-founder Tara Tiger Brown shares a project that her kid-friendly maker workshop is trying to make a reality.
Amid growing fears about safety and security risks from unauthorized drone flights, federal regulators say they plan to require pretty much all recreational drones in the U.S. to be registered.
Today and tomorrow only we are offering an additional 15% off the entire Boing Boing store (some exclusions may apply). Simply use coupon code: BLACKFRIDAY at checkout! Below are a few of our favorites from the store: First Generation Lytro 16GB Camera: The First Consumer Camera to Capture the Entire Light FieldAdobe Training Videos: Lifetime Subscription: 6,000+ Adobe […]
Today only in the Boing Boing Store we are offering an extra 15% off of the below VPN deals just use coupon code: VPN15 at checkout. proXPN VPN: Premium Lifetime Subscription Surf the web with ultimate peace of mind – both at home and on the road – over proXPN’s fully-encrypted, lightning-fast servers. Your lifetime premium subscription […]
These knitted gloves are here to save the day (and your hands) with an ultra-comfy, double-layer that will allow you to stay warm and use your phone. Now you can take photos on the fly, text, Tinder, and more without letting freezing temperatures get in your way. Plus they work with all touchscreens, so no […]