New Flaws Revealed In A Creaking Internet
Researchers at Black Hat reveal flaws in the infrastructure designed to keep sensitive information secure.
In separate presentations at the Black Hat computer security conference in Las Vegas this week, two researchers revealed flaws with the system that protects credit card and password
transactions online.
The Secure Socket Layer (SSL) protocol implements the padlock that appears
in a browser’s address bar–an outward symbol that the underlying
communication between browser and server is secure and that the Web page is
what it claims to be.
Dan Kaminsky and Moxie Marlinspike separately demonstrated a number of problems with SSL, some immediate and some that could become an issue within the next
18 months. Some of these issues are caused by inconsistencies in how SSL is
implemented in the browser compared with how SSL is implemented by the
certificate authorities that form the backbone of the system.
This story is only available to subscribers.
Don’t settle for half the story.
Get paywall-free access to technology news for the here and now.
Subscribe now
Already a subscriber?
Sign in
You’ve read all your free stories.
MIT Technology Review provides an
intelligent and independent filter for the
flood of information about technology.
Subscribe now
Already a subscriber?
Sign in
Rumblings about this infrastructure have been going on for some
time–late last year, researchers Alexander Sotirov and Marc Stevens showed
that an outdated algorithm could undermine the system. Later, Marlinspike
released a tool that an attacker could use to capture supposedly secure
information.
Later today at Black Hat, Sotirov plans to show further problems with “extended
validation” SSL certificates, which are supposed to provide a more secure
version of the system.
Last year at Black Hat, Kaminsky revealed a major flaw affecting a vital piece of Internet infrastructure that matches website addresses to the servers that hosts their pages. Kaminsky said in a press conference yesterday that the “creaking” of
the SSL infrastructure is a sign that it’s time to look for a new solution. He
suggests DNSSEC, a protocol meant to secure the system for looking up website addresses.
Kaminsky believes that it could be designed to guarantee a page’s identity at
the same time it links a user to a requested server. Other researchers, however, including some of Kaminsky’s collaborators, don’t
agree that DNSSEC is the solution, and think there are ways to bolster SSL
without discarding it.
Regardless of how people decide to fix the problems revealed at Black Hat, the takeaway is that much of the infrastructure supporting the Internet is
straining with the weight of unintended responsibility.