SSL Myth Busting: Using trusted certificates from a certificate authority (CA) is airtight (actually it’s not)

Posted: September 15, 2011 in Rethink Remote Access, SSL
Tags: , ,

It’s the assumption that “using trusted certificates from a certificate authority (CA) is airtight” that got DigiNotar and Comodo into some hot water this year. Because in reality, certificates – even those from a CA– are certainly not airtight. Here’s why.

Certificates used to authenticate an SSL connection allow for the certain identification of each party and for the negotiation of an encrypted channel for communication. The certificates themselves are files whose alteration can be easily detected and whose origin are verified by a trusted certificate authority, such as Comodo or VeriSign.

The web application developers use this trusted certificates model extensively when building their applications. The problem is that the CA can be spoofed. The Electronic Frontier Foundation staff technologist Peter Eckersley has a good, in-depth analysis of the revelation that Iranian hackers acquired fraudulent SSL certificates for Google, Yahoo, Mozilla and others by spoofing Comodo. CAs sell digitally signed certificates that browsers use to verify their network connections. But with these spoofed certificates, the hackers could undetectably impersonate Yahoo and Google (allowing them to read email even if it was being read over a secure connection). The Mozilla certificate would allow them to slip malicious spyware onto the computer of anyone installing a Firefox plug-in.

HTTPS and other SSL-using protocols (secure SMTP, POP, IMAP, Jabber and many, many others all build on SSL) still offer protection against casual snoopers. They’ll protect against the use of Firesheep in a hipster café just fine. But the trust and security promises that are implicit in the use of SSL, and which are depended on by many—to the extent that people literally bet their life on these protections—are promises that it cannot keep. The centralized trust model doesn’t work.

Comments
  1. […] Continuing our series on SSL Myths, today we deal with the security of SOA web services.  SOA’s simplicity lies in its use of descriptor-based definitions of application transactions that can be articulated directly from a business process into a service description with associated attributes in the description correlating to the procedures of the business process and sub-process threads. […]

  2. […] SSL Myth Busting: Using trusted certificates from a certificate authority (CA) is airtight (actually… (vpnhaus.ncp-e.com) […]

  3. People get all sorts of ideas in their heads about weddings. What is right, what is wrong, what you simply “must have” or what you should never do. And if you are engaged, you have probably had plenty of well meaning people tell you all about how you should plan your wedding. Well, not all of that advice can be true, and it certainly is not. Here are some of the biggest wedding myths, busted!

  4. Dear Vpnhaus,
    Thanks you for your post, In this article I will explain and debunk 3 separate myths all to do with copying your Xbox 360 games. So buckle up and enjoy the ride because for the first time ever I will be blasting Xbox 360 game copying myths out of the sky, just like if I was playing battlefield. So keep reading this article.
    Thx.

  5. […] patch for Windows Phone 7 was  not immediately available. More details surrounding this attack were outlined in Myth 1. But clearly, the priority is not currently on the mobile platform, creating an undeniable threat. […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s