Select your localized edition:

Close ×

More Ways to Connect

Discover one of our 28 local entrepreneurial communities »

Be the first to know as we launch in new countries and markets around the globe.

Interested in bringing MIT Technology Review to your local market?

MIT Technology ReviewMIT Technology Review - logo

 

Unsupported browser: Your browser does not meet modern web standards. See how it scores »

{ action.text }

A major breach at a Dutch purveyor of digital certificates has caused some security experts to question the infrastructure that underpins the security of the Internet.

The breach allowed unknown attackers to issue at least 531 fraudulent certificates for major domains, including Google.com, Microsoft.com, and Yahoo.com. Certificates are supposed to verify a website as genuine to a visitor’s Web browser; that verification prevents an attacker from using a forged domain address to steal data. The certificates contain encrypted data that lets browsers and other software confirm that a website is legitimate. So by compromising the digital certificate, an attacker can pose as a secure website, such as Google’s Gmail, and intercept communications, or bypass security mechanisms and install malicious software.

“What is unusual here is not that a certificate authority was compromised, but that someone noticed,” says Moxie Marlinspike, chief technology officer and cofounder of Whisper Systems, a firm focusing on securing mobile communications. “This is happening all the time.”

The compromised certificate company, DigiNotar, is one of about 650 companies, known as certificate authorities, or CAs, that are trusted to issue the certificates. Earlier this year, another certificate authority, Comodo, acknowledged that an attacker had breached the security of its systems and issued at least nine certificates for large domains, including Google, Skype, and Yahoo. At the Black Hat Security Conference in August, Marlinspike criticized the current system of certificate authorities and offered a different model, known as Convergence, based on a peer-to-peer model of trust.

The Electronic Frontier Foundation, a digital rights group, argued in an analysis published this week that recent break-ins suggest that the choice of whether to trust a certificate authority should lay with the user, not with browser vendors or websites.

“These CAs appear to exist within around 50 countries’ jurisdictions,” the authors of the report write. “Any one of these countries could conceivably compel a CA to create fraudulent certificates for purposes of espionage or for spying on that country’s citizens.”

The latest attack demonstrates that a single breach can have far-reaching effects. A preliminary report issued by Dutch security firm Fox-IT in early September found that the intruders exploited significant weaknesses in DigiNotar’s network security, including a single account capable of controlling all its certificate servers and using a weak password for account access. The firm found that more than 300,000 unique IP addresses—almost entirely from Iran—encountered one fraudulent certificate issued for Google’s domain. Already, Apple, Google, Microsoft, and Mozilla have updated their browser to distrust any certificate signed by DigiNotar.

3 comments. Share your thoughts »

Credit: Technology Review

Tagged: Web, security, Web, Internet crime

Reprints and Permissions | Send feedback to the editor

From the Archives

Close

Introducing MIT Technology Review Insider.

Already a Magazine subscriber?

You're automatically an Insider. It's easy to activate or upgrade your account.

Activate Your Account

Become an Insider

It's the new way to subscribe. Get even more of the tech news, research, and discoveries you crave.

Sign Up

Learn More

Find out why MIT Technology Review Insider is for you and explore your options.

Show Me