By Toby Scott
No Rick's Rant this month. Sorry about that. Today's topic was just too complicated for him so we had to bring out the tall timber.
Today we talk about SSL, certificates and trust. At the heart of the Internet, there are organizations we don't think about — might not even know about — that are at the center of our online safety. At a time when businesses and individuals are moving to the cloud in huge numbers, being secure online has become far more important than ever before.
Certificates are issued by recognized Root Certificate Authorities, who assure us that when we go to a secure website (they start with https:// rather than the more common http:// and most browsers change the color in the Address Bar) that the site is who it says it is. One of the ways we can make sure we are going to our real bank online is that the site has the Certificate that validates its identity. If I don't see that https:// I get out of there fast. Same thing for making purchases on Amazon.
Over the years, there has been quite a bit of theorizing over the Chinese government's control of certificates issued by the Hong Kong Post Office. There have been rumors of fake certificates that allow the Chinese government to create man-in-the-middle attacks on various western websites. Whether any of these rumors are true is open to question.
But one Root Certificate Authority, DigiNotar, has put a definite end to speculation about the issuance of fake certificates. DigiNotar is one of Europe's larger certificate issuers, issuing certificates for all of the Dutch government's sites. Someone calling himself "Comodo Hacker" managed to get into their site and create more than 500 fake certificates, including some for Gmail. Researchers at F-Secure have pinpointed the location of the certificates as the government of Iran. Apparently they were eavesdropping on email transactions for Iranians that Iranian citizens thought were secure. The Iranian DNS servers were using the fake certificates to point the user to a fake site, and then using the login credential to create a real connection to the Gmail account. This "man-in-the-middle" attack allows the Iranian government to eavesdrop on supposedly secure connections without the user being aware that anything is amiss.
DigiNotar earned the irritation of the security community by having a weak password and leaving its SQL server vulnerable to a SQL injection. But what really sunk them was that they tried to cover it up for several weeks. Microsoft, Firefox, Google, Opera, Safari and nearly all other browsers have removed the DigiNotar certificates from their list of Root Certificate Authorities.
The upshot of this is that less than a month after being hacked, DigiNotar has filed for bankruptcy. Any company that paid for a DigiNotar certificate is probably going to have to pay someone else for a replacement certificate. There is no possibility that DigiNotar can come back. Once you have lost trust with the Internet community, you are cooked. Comodo Hacker, who claims to be a 21-year-old Iranian student, has said he's hacked three other certificate issuers and will begin issuing fake certificates through them. If that's not an empty boast it's going to be an interesting time in an area of the Internet that most of us have paid little or no attention to. Not any more.
Most of us won't suffer much more than inconvenience from these attacks, even if they do manifest themselves. Unless our DNS servers are compromised, they will use the real certificate for authentication and we will go to the proper location. The way Iran hijacked the accounts was to control both the certificates and the DNS. DNS is the service that translates www.google.com into 220.127.116.11 or similar. Iranian DNS had to point to their own sites rather than Google's and then have a certificate authority recognized by the computer say that the IP address was the correct IP address for the certificate. It's a two-step process. For most of us, we don't have to worry about the DNS being hacked, so we don't have to worry about the hacked certificates. Our DNS servers will still point us to the correct site, despite the fact that there is a new certificate pointing elsewhere. Until the primary certificate is revoked, we'll still go to the right place.