Security & Mobility Now
Security is top-of-mind everywhere, especially right here where Juniper experts share their thoughts on the latest security breakthroughs and product advancements
rbachelor

Do you know who you trust? Trusted Root Certificate Authorities and You

by Juniper Employee ‎04-18-2011 08:39 PM - edited ‎04-19-2011 01:26 PM

The recent Microsoft Security Advisory warning of fraudulent digital certificates brought to mind a concern that has quietly slipped from wide notice.  But in this early time of digital social networks and free-flowing personal information the question of “Do you know who you trust?” becomes even more timely.

 

For those who aren’t aware of the details, one of the root certificate authorities (or CAs) responsible for establishing identity information on the Internet was basically “tricked” into issuing digital certificates for a number of high-profile domains including login.yahoo.com, mail.google.com, login.skype.com and 7 others.  But why should we care?  Because it can affect you.  These digital certificates not only function as “identity papers” in the online world, they are also the basis for secure HTTPS or SSL encrypted communication with those sites.  The type of communication we are told to look for (“look for the lock symbol in your browser!”) before disclosing any sensitive information.  The sites look absolutely valid and their Internet identity papers confirm it.

 

Unfortunately in this case, those are stolen identity papers.  If we do trust those sites we will end up giving away our passwords and PINs to criminals.  But who will suspect that the sites aren’t legitimate?  The domain names are familiar (google.com, yahoo.com, skype.com).  And our browsers would warn us if the name on the certificate didn’t match the destination address.  Our browsers would also warn us if the certificate wasn’t issued by a trusted certificate authority.  We’ve all seen that pop-up at some point as well:

 

Firefox:

untrusted2.jpg

 

Internet Explorer:

websecuritymessage.jpg

 

But what are trusted Certificate Authorities?  And who decides they are trusted?  To answer the first question, Certificate Authorities are companies that verify ownership of a domain and then issue a digital certificate (i.e. Internet identity papers) for that domain.  Note that these certificates don’t mean that the site itself is trustworthy; just that you can trust that whoever has the certificate for a domain actually owns it.

 

The last part is where Comodo Inc. had problems.  Apparently someone broke into their Registration Authority (or RA) and was able to fool Comodo’s Certificate Server into believing that the requests for these certificates were genuine.  The RA serves, among other purposes, as the fact-checker and establishes whether or not the request is valid.  The attacker didn’t attempt a frontal assault – CA’s are generally very-well protected (they sit in secure cages secured with biometric locks housed in secure datacenters).  Instead they attacked the trust chain.  A real-life example (well, maybe real-life Hollywood-style) would be someone stealing an armored truck and uniforms and fooling bank personnel into loading a bunch of cash into the truck as opposed to trying to break into the vault directly.

 

But we still haven’t answered the question of what makes a Certificate Authority trusted?  I’ll answer that question in Part 2 and include some practical recommendations as to how to both assess and reduce your own risk.

 

Post a Comment
Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
About Security & Mobility Now

Discussing a wide range of topics impacting enterprises and
data center security.

Subscribe RSS Icon

Our Bloggers

Kyle Adams
Senior Software Engineer

Profile | Subscribe

Ritesh Agrawal
Director
Software Engineering

Profile | Subscribe

Erin K. Banks
Senior Technical Marketing Manager

Profile | Subscribe

Ajay Bharadwaj
Product Manager

Profile | Subscribe

Michael Callahan
Vice President
Product Marketing

Profile | Subscribe

Scott Emo
Director
Product Marketing

Profile | Subscribe

Mora Gozani
Senior Manager
Product Marketing

Profile | Subscribe

Ashur Kanoon
Sr. Manager
Technical Marketing

Profile | Subscribe

Seema Kathuria
Manager
Product Marketing

Profile | Subscribe

Kevin Kennedy
Senior Director
Product Management

Profile | Subscribe

Dave Killion
Software Engineer

Profile | Subscribe

Rebecca Lawson
Senior Director
Product Marketing

Profile | Subscribe

Rajoo Nagar
Senior Manager
Product Marketing

Profile | Subscribe

Erin O'Malley
Manager
Product Marketing

Profile | Subscribe

Galina Pildush
Strategy & Planning
Architect

Profile | Subscribe

Edward Roberts
Director
Product Marketing

Profile | Subscribe

Bill Shelton
Director Field Sales

Profile | Subscribe

Ashutosh Thakur
Product Line Manager

Profile | Subscribe

Troy Vennon
Software Engineer

Profile | Subscribe

Brad Woodberg
Product Manager

Profile | Subscribe

Labels
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.