Censorship: 2011 in Review – Ever-Clearer Vulnerabilities in Certificate Authority System

| By Dan Auerbach | Sourced from EFF.org (Creative Commons License) |

As the year draws to a close, EFF is looking back at the major trends influencing digital rights in 2011 and discussing where we are in the fight for a free expression, innovation, fair use, and privacy.

At EFF we are big fans of HTTPS, the secure version of HTTP that allows for private conversations between websites and the users who are browsing those websites. But a chain is only as strong as its weakest link, and in the case of the security of HTTPS, the weakest link is the hodgepodge of organizations (hundreds!) that make up our Certificate Authority (CA) system. Each “trusted” organization has the power to authenticate any website whatsoever to the end user; if any of these organizations lies or gets compromised, users are at risk. Though we’ve known that this system has been flawed for a while now, this year there were two attacks that acutely demonstrated just how brittle it has become.

First, in March, an affiliate of the very large Certificate Authority Comodo was tricked into issuing fraudulent certificates for popular domains like mail.google.com, login.yahoo.com, and addons.mozilla.org. Though this was detected within days and the scope of the compromise was luckily not too large, the attack put the spotlight on one major problem of the CA system: some CAs, like Comodo, are too big to fail. If the organization were to be compromised in a serious way, browsers would be faced with the extraordinary task of figuring out what certificates they could trust. Distrusting all of Comodo’s certificates would mean that a significant portion of the internet would be inaccessible to users of the browser, but trusting Comodo too broadly might mean trusting some fraudulent certificates. Rock. Browser vendors. Hard place.

Second, sometime before July 10th, the CA DigiNotar was compromised, and for several months, hundreds of thousands of users—most of whom appear to be from Iran—were subject to a man-in-the-middle attack using the fraudulent certificates from DigiNotar. This is the largest known successful attack on the existing CA system to date, and a wake-up call that staying the course is totally unacceptable for the security of internet users. As our postmortem indicates, a large number of users were affected and their communications on popular sites like Gmail could be read. This time, browser vendors were able to remove DigiNotar from their respective lists of trusted CAs due to DigiNotar’s relatively small size, but the attack went unnoticed for months. This was in part because of DigiNotar’s lack of disclosure, highlighting the perverse incentives of Certificate Authorities in the existing scheme—another big reason the status quo is broken.

The events of 2011 demonstrate that the problems with the existing CA system are no longer academic, and we hope that there is enough momentum building to finally upgrade everyone to a more secure public key infrastructure. Our SSL Observatory project aims to collect certificates from around the web to study the problem and continues to provide some transparency as well as interesting data, but it is at best a band-aid. We hope that our Sovereign Key project will pave the way towards an effective long term solution, in 2012 and beyond.

Advertisements

Activist, Unplugged from the Matrix. Action for Freedom!

Tagged with: , , , , , , ,
Posted in Censorship, Internet Censorship
One comment on “Censorship: 2011 in Review – Ever-Clearer Vulnerabilities in Certificate Authority System
  1. […] Censorship: 2011 in Review – Ever-Clearer Vulnerabilities in Certificate Authority System (censorshipinamerica.com) […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Enter your email address to follow this blog and receive notifications of new posts by email. You have full control over the frequency of emails you receive, and you can unsubscribe at any time. We will NOT share your email address with anyone, ever!

Join 737 other followers

Member of The Internet Defense LeagueBloggers' Rights at EFF
%d bloggers like this: