The recent Microsoft Security Advisory warning of fraudulent digital certificates brought to mind a concern that has quietly slipped from wide notice. But in this early time of digital social networks and free-flowing personal information the question of “Do you know who you trust?” becomes even more timely.
For those who aren’t aware of the details, one of the root certificate authorities (or CAs) responsible for establishing identity information on the Internet was basically “tricked” into issuing digital certificates for a number of high-profile domains including login.yahoo.com, mail.google.com, login.skype.com and 7 others. But why should we care? Because it can affect you. These digital certificates not only function as “identity papers” in the online world, they are also the basis for secure HTTPS or SSL encrypted communication with those sites. The type of communication we are told to look for (“look for the lock symbol in your browser!”) before disclosing any sensitive information. The sites look absolutely valid and their Internet identity papers confirm it.
Unfortunately in this case, those are stolen identity papers. If we do trust those sites we will end up giving away our passwords and PINs to criminals. But who will suspect that the sites aren’t legitimate? The domain names are familiar (google.com, yahoo.com, skype.com). And our browsers would warn us if the name on the certificate didn’t match the destination address. Our browsers would also warn us if the certificate wasn’t issued by a trusted certificate authority. We’ve all seen that pop-up at some point as well:
But what are trusted Certificate Authorities? And who decides they are trusted? To answer the first question, Certificate Authorities are companies that verify ownership of a domain and then issue a digital certificate (i.e. Internet identity papers) for that domain. Note that these certificates don’t mean that the site itself is trustworthy; just that you can trust that whoever has the certificate for a domain actually owns it.
The last part is where Comodo Inc. had problems. Apparently someone broke into their Registration Authority (or RA) and was able to fool Comodo’s Certificate Server into believing that the requests for these certificates were genuine. The RA serves, among other purposes, as the fact-checker and establishes whether or not the request is valid. The attacker didn’t attempt a frontal assault – CA’s are generally very-well protected (they sit in secure cages secured with biometric locks housed in secure datacenters). Instead they attacked the trust chain. A real-life example (well, maybe real-life Hollywood-style) would be someone stealing an armored truck and uniforms and fooling bank personnel into loading a bunch of cash into the truck as opposed to trying to break into the vault directly.
But we still haven’t answered the question of what makes a Certificate Authority trusted? I’ll answer that question in Part 2 and include some practical recommendations as to how to both assess and reduce your own risk.
Discussing a wide range of topics impacting enterprises and data center security.