SSL Certificates Not as Safe as Once Thought
Over time, security practices that were once thought to be safe change. Many years ago it was believed that viruses could not propagate through email, images, or web pages attack your system or network. Those beliefs have all been shown to be inaccurate as attack methods evolve and researchers discover new weaknesses and new ways to exploit and expose those weaknesses.
One of the more recent mantras, which has become a key part of ensuring Internet users stay safe online, is to always look for the lock icon or https at the start of the URL when passing sensitive personal or financial information across the Internet to an otherwise trusted remote site (banking, online shopping, etc). The presence of a SSL certificate that matched the site name (for more advanced users) meant that no one on the network was listening in to the transaction. As phishers and other malware authors became more skilled, the sites being used to capture personal data began obtaining certificates of their own that matched their not-quite-right URLs and others shifted their focus to the victim's own system, intercepting and siphoning off the data before it was encrypted in the browser and sent across the network.
Recently there have been a couple of cases to cause alarm amongst security watchers, raising the possibility that SSL certificates are not as secure and as much of a panacea against attack as many thought.
It was discovered late last year that it is possible through some Certificate Authorities (CAs, the companies that are trusted to issue the SSL certificates that your browsers trust) to obtain authorised certificates for any domain, even when you don't represent it. This means that someone setting out to create a fake yourbank.com domain can obtain a valid SSL certificate for that domain and point it to their fake-yourbank.com site and not have any alerts raised in any web browser.
At the recent CCC conference it was shown that it is possible, given the right set of circumstances, to create a fake Intermediate CA due to weaknesses in the methods used by some Root CAs in issuing their certificates. By creating a fake Intermediate CA, it is then possible to issue valid SSL certificates for any domain at all, and they will all be accepted as valid by visitors' browsers. This is a more concerning development, since it means that once the Intermediate CA has been created, there does not need to be a request made to a valid CA to obtain a certificate for each malicious domain.
For all users it means another thing to be careful of when going online and that even a valid-looking SSL certificate may no longer actually be valid.
9 January 2009
Social bookmark this page at eKstreme.
Alternatively, Bookmark or Share via AddThis
Do you like how we cover Information Security news? How about checking out our company services, delivered the same way our news is.
Let our Free OS X Screen Saver deliver the latest security alerts and commentary to your desktop when you're not at your system.
Comments will soon be available for registered users.