Trusting unknown parties for security? Welcome to the web

At The Economist, Glenn Fleishman writes about a fundamental flaw in the industry standard security system for websites, SSL, familiar to all of us as the little lock icon that appears for 'secure' websites. Recently, a cracker was able to issue himself security certificates for domains at Skype and elsewhere, making clear the problem of assigning trust to certificating authorities just because.

The secure web infrastructure was designed in part to defend against this. The browser may be tricked into connecting to a server designed to extract your identity or intercept communications, but the browser will see the wolf under the sheep's clothing. It will alert the user and hinder him from connecting to a server that lacks a certificate, issued by some CA, for the domain it claims to be representing. But if a valid certificate can be obtained, neither the user nor the browser have any idea that they have been hijacked.

A big part of the problem seems to be the willingness of browser- and OS-makers to turn a blind eye to sleazy CAs. The web's trust issues [The Economist]

⟿ Follow Rob Beschizza on Twitter.

MORE: ssl • Technology

More at Boing Boing

Eurovision 2013: An American in London

The technology that links taxonomy and Star Trek

jowlsey

@mr_josh- enable the numeric keypad, hold down the alt key, then type 059 using numeric keypad.
Anonymous

A big part of the problem seems to be the willingness of browser- and OS-makers to turn a blind eye to sleazy CAs.

So, the attitude that results in knowingly shipping shoddy goods in turn enables sleazeballs to flourish?

Just like in every other field of endeavor?

“All that is necessary for evil to triumph is for good men to do nothing”
Nadreck

On the interWebs you’re in a dark room, shouting at people whose faces you can’t see. As you enter the room you get a binder of unforgeable signet ring impressions. If someone gives you a business card with one of these seals on it you can trust that they are who they say they are: if you trust the binder publisher that is.

Sometimes the signet rings get stolen. Over at one window of the room there’s a box, that gets restocked once a week, where you can pick up a list of stolen signet rings. Or you can shout out to some of the people in the room and ask them if they remember stamping so-and-so’s business card. After all, maybe they don’t know that their ring was stolen for a while. You don’t ask for a business card from the people that answer you.

Then there’s the problem of ventriloquists…
Anonymous

What a ridiculous keyboard; no more semi-colons or colons. And most importantly, no more ellipses!

“He who sacrifices his grammar for security deserves neither”, I believe the quote goes.
creesto

I’ve been surfin since about the time bOING bOING went webzine, and I’ve never fallen for an online ruse. I know, I know:

Famous. Last. Words.

After all this time, my philosophy is simple:

Don’t. Trust. Whitey.
EH

This article is naive, it’s turtles all the way down. Verisign is the original hijacker, an “authority” by fiat.
- Glenn Fleishman
  
  That’s an awesome retort. I would only respond, as the doubly naive writer, that VeriSign has never so far been accused of using its commercial role for corporate or government espionage, while there is suspicion that other CAs may have been suborned or hijacked for this goal. We simply don’t know.
  
  Google’s certificate almanac is a fascinating project, as it may expose wrongdoing that we were previously completely unaware of. (Or not.)
mr_josh

I’ll just go ahead and ask: how do you type a semi-colon on that thing?
- Avram / Moderator
  
  I was just about to say. Bad keyboard for writing Perl or PHP.