Hello,

We noticed you're browsing in private or incognito mode.

To continue reading this article, please exit incognito mode or log in.

Not an Insider? Subscribe now for unlimited access to online articles.

Fake Certificates Reveal Flaws in the Internet's Security

A new report concludes that a breach at a single certificate authority can undermine the security of the entire Internet.

A major breach at a Dutch purveyor of digital certificates has caused some security experts to question the infrastructure that underpins the security of the Internet.

The breach allowed unknown attackers to issue at least 531 fraudulent certificates for major domains, including Google.com, Microsoft.com, and Yahoo.com. Certificates are supposed to verify a website as genuine to a visitor’s Web browser; that verification prevents an attacker from using a forged domain address to steal data. The certificates contain encrypted data that lets browsers and other software confirm that a website is legitimate. So by compromising the digital certificate, an attacker can pose as a secure website, such as Google’s Gmail, and intercept communications, or bypass security mechanisms and install malicious software.

“What is unusual here is not that a certificate authority was compromised, but that someone noticed,” says Moxie Marlinspike, chief technology officer and cofounder of Whisper Systems, a firm focusing on securing mobile communications. “This is happening all the time.”

The compromised certificate company, DigiNotar, is one of about 650 companies, known as certificate authorities, or CAs, that are trusted to issue the certificates. Earlier this year, another certificate authority, Comodo, acknowledged that an attacker had breached the security of its systems and issued at least nine certificates for large domains, including Google, Skype, and Yahoo. At the Black Hat Security Conference in August, Marlinspike criticized the current system of certificate authorities and offered a different model, known as Convergence, based on a peer-to-peer model of trust.

The Electronic Frontier Foundation, a digital rights group, argued in an analysis published this week that recent break-ins suggest that the choice of whether to trust a certificate authority should lay with the user, not with browser vendors or websites.

“These CAs appear to exist within around 50 countries’ jurisdictions,” the authors of the report write. “Any one of these countries could conceivably compel a CA to create fraudulent certificates for purposes of espionage or for spying on that country’s citizens.”

The latest attack demonstrates that a single breach can have far-reaching effects. A preliminary report issued by Dutch security firm Fox-IT in early September found that the intruders exploited significant weaknesses in DigiNotar’s network security, including a single account capable of controlling all its certificate servers and using a weak password for account access. The firm found that more than 300,000 unique IP addresses—almost entirely from Iran—encountered one fraudulent certificate issued for Google’s domain. Already, Apple, Google, Microsoft, and Mozilla have updated their browser to distrust any certificate signed by DigiNotar.

The Dutch government, which relies on the digital signatures issued by DigiNotar for its encrypted communications, has taken over the company’s certificate operations. In addition, it is investigating whether the focus on Iranian users could indicate that the nation’s government may have been involved in the attack.

The certificate system works, but needs increased focus on security, says Amar Doshi, a senior manager of certificate products with security firm Symantec, which acquired and now manages the certificate authority VeriSign.

“All the events of the last couple of weeks really go to show that ‘a cert is a cert is a cert’ doesn’t really apply,” Doshi says. “There are differences between certificates. There are differences between CAs.”

Some of the browser makers seem ready to focus on those differences. Last week, the Mozilla Foundation, the group that manages development of the Firefox browser, provided certificate authorities with a list of security checks to complete in eight days. It said that any authority that fails to comply with the request could find any certificates issued by them deemed untrustworthy by Mozilla.

“Participation in Mozilla’s root program is at our sole discretion, and we will take whatever steps are necessary to keep our users safe,” Kathleen Wilson, the program manager in charge of Mozilla’s CA Certificates Module, said in an e-mail to certificate authorities. 

Hear more about security at EmTech MIT 2017.

Register now

Uh oh–you've read all of your free articles for this month.

Insider Premium
$179.95/yr US PRICE

Want more award-winning journalism? Subscribe and become an Insider.
  • Insider Plus {! insider.prices.plus !}* Best Value

    {! insider.display.menuOptionsLabel !}

    Everything included in Insider Basic, plus the digital magazine, extensive archive, ad-free web experience, and discounts to partner offerings and MIT Technology Review events.

    See details+

    What's Included

    Unlimited 24/7 access to MIT Technology Review’s website

    The Download: our daily newsletter of what's important in technology and innovation

    Bimonthly print magazine (6 issues per year)

    Bimonthly digital/PDF edition

    Access to the magazine PDF archive—thousands of articles going back to 1899 at your fingertips

    Special interest publications

    Discount to MIT Technology Review events

    Special discounts to select partner offerings

    Ad-free web experience

  • Insider Basic {! insider.prices.basic !}*

    {! insider.display.menuOptionsLabel !}

    Six issues of our award winning print magazine, unlimited online access plus The Download with the top tech stories delivered daily to your inbox.

    See details+

    What's Included

    Unlimited 24/7 access to MIT Technology Review’s website

    The Download: our daily newsletter of what's important in technology and innovation

    Bimonthly print magazine (6 issues per year)

  • Insider Online Only {! insider.prices.online !}*

    {! insider.display.menuOptionsLabel !}

    Unlimited online access including articles and video, plus The Download with the top tech stories delivered daily to your inbox.

    See details+

    What's Included

    Unlimited 24/7 access to MIT Technology Review’s website

    The Download: our daily newsletter of what's important in technology and innovation

/
You've read all of your free articles this month. This is your last free article this month. You've read of free articles this month. or  for unlimited online access.