Web Authentication: A Broken Trust with No Easy Fix

Monday, January 30, 2012

Infosec Island Admin


Ericka Chickowski of DarkReading has an excellent article on The Future of Web Authentication which traces the evolution of the current system for issuing digital certificates and outlines the considerable problems therein.

Digital certificates such as SSL and TLS are used by internet browsers to recognized legitimate websites and protect surfers from inadvertently exposing themselves to malware, phishing scams, impostors and spoofed landing sites.

Digital certificates are issued by only a handful of Certificate Authorities, such as VeriSign, GoDaddy, and the recently compromised Comodo. An improperly issued certificate for an unqualified domain name would allow an attacker to conduct exploits accompanied by validly signed and authenticated certificates.

Systemic weaknesses and a general lack of oversight governing the process used to issue digital certificates, key to the standards used to validate legitimate websites, prompted some security experts to wonder if the system may be hopelessly ineffective.

“Right now, it's just an illusion of security. Depending on what you think your threat is, you can trust it on varying levels, but fundamentally, it has some pretty serious problems... The current security of SSL depends on these external entities and there's no reason for us to trust them. They don't have a strong incentive to behave well because they're not accountable" security researcher Marlinspike said last spring.

Other security experts agree that the issue comes down to accountability, and that CA's face no serious repercussions for a lack of due diligence in the issuing of digital certificates.

“In terms of what the CAs do, it seems like it's a bit of the old west. It doesn't seem like anyone is holding them accountable, even when something as severe as the Comodo incident happens," senior consultant Mike Zusman of security firm Intrepidus Group said previously.

Some instances of digital certificate security lapses include:

The lack of accountability in the industry could lead to the issuing of certificates that present criminal enterprises with the opportunity to conduct large scale targeted cyber attacks that threaten businesses and their clientele.

"You can get an SSL certificate for just about anything... the amount of people I have to trust without my consent is beyond what I would ever choose to trust, and in fact, just using a browser in and of itself means I don't even know who I trust," Chet Wisniewski of Sophos said.

Attempts to improve digital certificate security by internet browser providers is thwarted by the fact that blacklisting the root certificates for companies that have a record of issuing bad certificates would mean also blocking access to all the websites who have obtained valid certificates from the same companies.

In December of 2011, the Certification Authority/Browser Forum issued a set of baseline security requirements for authentication authorities to implement in an effort to bolster the effectiveness of secure sockets layer digital certificates.

The new guidance is not expected to have an immediate impact on website authentication, but they do represent a step in the right direction if the Certificate Authority system expects to remain relevant in the long run.

"Thus far, the browser manufacturers haven't shown a tremendous amount of interest in trying to get ahead of this problem and dealing with it once and for all... Anything that requires us to migrate the entire Internet to a different protocol isn't going to happen... Right now, particularly in this space, ideas are easy, but it's getting it done that's the hard part," Marlinspike said.

Possibly Related Articles:
SSL Authentication Digital Certificates TLS internet Trust Headlines websites HTTPS Certificate Authority Moxie Marlinspike Chet Wisniewski Certification Authority/Browser Forum Mike Zusman
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.