Fake Certificates Reveal Flaws in the Internet's Security

A new report concludes that a breach at a single certificate authority can undermine the security of the entire Internet.

A major breach at a Dutch purveyor of digital certificates has caused some security experts to question the infrastructure that underpins the security of the Internet.

The breach allowed unknown attackers to issue at least 531 fraudulent certificates for major domains, including Google.com, Microsoft.com, and Yahoo.com. Certificates are supposed to verify a website as genuine to a visitor’s Web browser; that verification prevents an attacker from using a forged domain address to steal data. The certificates contain encrypted data that lets browsers and other software confirm that a website is legitimate. So by compromising the digital certificate, an attacker can pose as a secure website, such as Google’s Gmail, and intercept communications, or bypass security mechanisms and install malicious software.

“What is unusual here is not that a certificate authority was compromised, but that someone noticed,” says Moxie Marlinspike, chief technology officer and cofounder of Whisper Systems, a firm focusing on securing mobile communications. “This is happening all the time.”

The compromised certificate company, DigiNotar, is one of about 650 companies, known as certificate authorities, or CAs, that are trusted to issue the certificates. Earlier this year, another certificate authority, Comodo, acknowledged that an attacker had breached the security of its systems and issued at least nine certificates for large domains, including Google, Skype, and Yahoo. At the Black Hat Security Conference in August, Marlinspike criticized the current system of certificate authorities and offered a different model, known as Convergence, based on a peer-to-peer model of trust.

The Electronic Frontier Foundation, a digital rights group, argued in an analysis published this week that recent break-ins suggest that the choice of whether to trust a certificate authority should lay with the user, not with browser vendors or websites.

“These CAs appear to exist within around 50 countries’ jurisdictions,” the authors of the report write. “Any one of these countries could conceivably compel a CA to create fraudulent certificates for purposes of espionage or for spying on that country’s citizens.”

The latest attack demonstrates that a single breach can have far-reaching effects. A preliminary report issued by Dutch security firm Fox-IT in early September found that the intruders exploited significant weaknesses in DigiNotar’s network security, including a single account capable of controlling all its certificate servers and using a weak password for account access. The firm found that more than 300,000 unique IP addresses—almost entirely from Iran—encountered one fraudulent certificate issued for Google’s domain. Already, Apple, Google, Microsoft, and Mozilla have updated their browser to distrust any certificate signed by DigiNotar.

The Dutch government, which relies on the digital signatures issued by DigiNotar for its encrypted communications, has taken over the company’s certificate operations. In addition, it is investigating whether the focus on Iranian users could indicate that the nation’s government may have been involved in the attack.

The certificate system works, but needs increased focus on security, says Amar Doshi, a senior manager of certificate products with security firm Symantec, which acquired and now manages the certificate authority VeriSign.

“All the events of the last couple of weeks really go to show that ‘a cert is a cert is a cert’ doesn’t really apply,” Doshi says. “There are differences between certificates. There are differences between CAs.”

Some of the browser makers seem ready to focus on those differences. Last week, the Mozilla Foundation, the group that manages development of the Firefox browser, provided certificate authorities with a list of security checks to complete in eight days. It said that any authority that fails to comply with the request could find any certificates issued by them deemed untrustworthy by Mozilla.

“Participation in Mozilla’s root program is at our sole discretion, and we will take whatever steps are necessary to keep our users safe,” Kathleen Wilson, the program manager in charge of Mozilla’s CA Certificates Module, said in an e-mail to certificate authorities. 

Become an MIT Technology Review Insider for in-depth analysis and unparalleled perspective.
Subscribe today

Uh oh–you've read all five of your free articles for this month.

Insider Premium

$179.95/yr US PRICE

More from undefined

Want more award-winning journalism? Subscribe and become an Insider.

  • Insider Premium {! insider.prices.premium !}*

    {! insider.display.menuOptionsLabel !}

    Our award winning magazine, unlimited access to our story archive, special discounts to MIT Technology Review Events, and exclusive content.

    See details+

    What's Included

    Bimonthly home delivery and unlimited 24/7 access to MIT Technology Review’s website.

    The Download. Our daily newsletter of what's important in technology and innovation.

    Access to the Magazine archive. Over 24,000 articles going back to 1899 at your fingertips.

    Special Discounts to select partner offerings

    Discount to MIT Technology Review events

    Ad-free web experience

    First Look. Exclusive early access to stories.

    Insider Conversations. Join in and ask questions as our editors talk to innovators from around the world.

  • Insider Plus {! insider.prices.plus !}* Best Value

    {! insider.display.menuOptionsLabel !}

    Everything included in Insider Basic, plus ad-free web experience, select discounts to partner offerings and MIT Technology Review events

    See details+

    What's Included

    Bimonthly home delivery and unlimited 24/7 access to MIT Technology Review’s website.

    The Download. Our daily newsletter of what's important in technology and innovation.

    Access to the Magazine archive. Over 24,000 articles going back to 1899 at your fingertips.

    Special Discounts to select partner offerings

    Discount to MIT Technology Review events

    Ad-free web experience

  • Insider Basic {! insider.prices.basic !}*

    {! insider.display.menuOptionsLabel !}

    Six issues of our award winning magazine and daily delivery of The Download, our newsletter of what’s important in technology and innovation.

    See details+

    What's Included

    Bimonthly home delivery and unlimited 24/7 access to MIT Technology Review’s website.

    The Download. Our daily newsletter of what's important in technology and innovation.

You've read of free articles this month.