For almost 20 years now we’ve been telling people that when you connect to a site using SSL (the URL starts with and you see the ubiquitous padlock icon) it’s safe. The information you send between your computer and the other site is encrypted and secured. The encryption is done using a secure certificate. The certificate contains the encryption codes and keys that are used by your browser (and not often Windows or OS X itself) to encrypt the data.
The trust came from the fact that secure certificates could only be issued by a few companies and there were stringent controls on making sure you are who you say you are.
Or so we thought.
This week one of the large certificate issuing authorities let the world know that one of its reselling partners had a security breach and 9 fraudulent certificates were created. Who were the certificates “for”? A few sites that you might have heard of (and might have visited today in fact):
- login.live.com
- mail.google.com
- www.google.com
- login.yahoo.com (3 certificates)
- login.skype.com
- addons.mozilla.org
There was also a certificate created for “Global Trustee” (whatever that means or was trying to be is unclear). The certificate issuer Comodo quickly revoked all the certificates when they learned of the breach and only one of the certificates was found in the wild, so the Internet is safe.
For now.
But why is this a huge deal? The problem is that armed with a secure certificate for, say, Google a hacker (or government) could create a fake Gmail site and direct traffic to it. Users would think that the connection is secure and encrypted, but here’s the problem …
The certificate holder can decrypt all the traffic because they hold the keys.
That’s what the certificate is for. When the data reaches the server you want to connect to, it has to be decrypted to be used. Armed with a fake Gmail, Yahoo, Hotmail, or whatever certificate someone could spy on all of the communications going to the website. Even if the hacker routed you to the real Gmail site, the hacker could put their fake site and certificate in the middle of the stream (a man in the middle attack) and intercept communications.
This is scary stuff and the problem is because of how certificates are issued (it’s big business and money; high-strength certificates like the ones we use here at eCrypt cost thousands of dollars) and how many issuers there are (over 1500) the Internet and all of its users are vulnerable.
Yep, we’re all vulnerable.
The problem is that the Internet was built on a system of trust. I’d say probably a naive sense of trust as well. The Internet works by saying here are servers that contain trusted information (for example the DNS system that says which servers google.com are) so you can use that information. That information is gold. If you can reroute people to your own fake website then you can do what you want. If you can reroute people to your own fake website and make them think that the connection is secure…
Is this situation fixable?
That’s the question that us security folks have been tossing around all week. Do we remove certificate creation authority from everyone except for all but a few people? Then how do we keep them safe and secure (they would become huge targets of for hacking)? Then how do we prevent a few companies from raising prices to exorbitant levels?
Most countries can issue certificates, countries like China, how do we know that China isn’t issuing false certificates to spy on communications flowing through its servers (China is suspected in hijacking Internet traffic last year)?
The even bigger problem (and closer to home) is how to ensure that when fraudulent certificates are generated, found, then decertified that our computers and browsers don’t used them? That is an even stickier question that OS and browser makers hadn’t even really thought much about (until now I suspect).
Essentially, this incident is a wake up call for all of us.
Comodo (the root issuer in the fraud) has egg on its face for allowing so many resellers (and some with lax security) to issue certificates on its behalf. Browser makers had to issue emergency patches to ensure that their browsers “knew” that the certificates had been revoked. There hasn’t been anything from Apple or Microsoft on settings that users can make to have certificate revocations automatically checked and updated. And really the whole incident, and why it’s so scary, highlights how so much of what we do on the Internet is based on a system of trust and how easily that trust can be broken.
If you’d like to read more about this incident and the discussion in the aftermath, here are some articles that I found worth a read:
- Google, Yahoo, Skype targeted in attack linked to Iran | Privacy Inc. – CNET News
- Iran behind certificate fraud, says SSL vendor – SC Magazine US
- ‘Iranian’ attackers forge Google’s Gmail credentials • The Register
- Hack Obtains 9 Bogus Certificates for Prominent Websites; Traced to Iran | Threat Level | Wired.com
- Errata Security: No reason to believe Comodo attack came from Iran
- Errata Security: A brief introduction to web “certificates”
- Fraudulent certificates issued by Comodo, is it time to rethink who we trust? | Naked Security
- Hackers exploit chink in Web’s armor | Privacy Inc. – CNET News
As a final note, the chatter about this attack being linked to Iran is very suspect to me. If you’re a hacker for a nation like Iran, don’t you think you’d be smart enough to cover your tracks and not let people trace where you’re really coming from?