Electronic Frontier Foundation staff technologist Peter Eckersley has a good, in-depth analysis of the revelation that Iranian hackers acquired fraudulent SSL certificates for Google, Yahoo, Mozilla and others by spoofing Comodo, a major Certificate Authority. CAs are companies that are allowed to sell cryptographically signed certificates that browsers use to verify their network connections; with these spoofed certs, the hackers could undetectably impersonate Yahoo and Google (allowing them to read mail even if it was being read over a secure connection), the Mozilla certificate would allow them to slip malicious spyware onto the computer of anyone installing a Firefox plugin.
It appears that the fraud was detected before any harm could be done, but Eckersley explains how close we came to a global security meltdown, and starts thinking about how we can prepare for a more successful attack in the future.
Most Certificate Authorities do good work. Some make mistakes occasionally,2 but that is normal in computer security. The real problem is a structural one: there are 1,500 CA certificates controlled by around 650 organizations,3 and every time you connect to an HTTPS webserver, or exchange email (POP/IMAP/SMTP) encrypted by TLS, you implicitly trust all of those certificate authorities!
Iranian hackers obtain fraudulent HTTPS certificates: How close to a Web security meltdown did we get?
What we need is a robust way to cross-check the good work that CAs currently do, to provide defense in depth and ensure (1) that a private key-compromise failure at a major CA does not lead to an Internet-wide cryptography meltdown and (2) that our software does not need to trust all of the CAs, for everything, all of the time.
For the time being, we will make just one remark about this. Many people have been touting DNSSEC PKI as a solution to the problem. While DNSSEC could be an improvement, we do not believe it is the right solution to the TLS security problem. One reason is that the DNS hierarchy is not trustworthy. Countries like the UAE and Tunisia control certificate authorities, and have a history of compromising their citizens' computer security. But these countries also control top-level DNS domains, and could control the DNSSEC entries for those ccTLDs. And the emergence of DNS manipulation by the US government also raises many concerns about whether DNSSEC will be reliable in the future.
Wow. @CarnegieMellon is America's Shanghai Jiaotong. https://t.co/UAtaAgJvJh— Edward Snowden (@Snowden) November 11, 2015 Documents published by Vice News: Motherboard and further reporting by Wired News suggest that a team of researchers from Carnegie Mellon University who canceled their scheduled 2015 BlackHat talk identified Tor hidden servers and visitors, and turned that data over to the […]
LA Makerspace co-founder Tara Tiger Brown shares a project that her kid-friendly maker workshop is trying to make a reality.
Amid growing fears about safety and security risks from unauthorized drone flights, federal regulators say they plan to require pretty much all recreational drones in the U.S. to be registered.
Carrying this EDC card is like slinging around a handheld toolbox wherever you go. Its minimal design is small enough to fit in your wallet’s billfold, and it’s TSA-compliant so you’ll never leave it behind. It’s got hex wrenches, metric and imperial rulers, flathead and Phillip’s screwdrivers, and a bottle opener so that you’re ready […]
Today only take an additional 15% off the below drones today using coupon code: DRONE15 at checkoutThe Code Black is our top-selling drone of all time—and for good reason. This powerful, palm-size drone is not only insanely fun to fly, but can capture some serious video footage from up above. With a flight time of […]
Why interrupt your post-Thanksgiving turkey bliss to wait in an epic line, when the best deal of the season is a click away? We’re treating you Mac enthusiasts to the ultimate Black Friday bundle, packed with apps to give your machine a mega boost in the right direction. From Drive Genius to AfterShot Pro to […]