The Internet Is Still a Scary, Scary Place
BY Nick Judd | Thursday, March 24 2011
The system that allows you to check your GMail account or your bank balance online is complicated, but it's based on the idea that one of a small number of firms — called certificate authorities — can be trusted to confirm for you that the server you're trying to reach belongs to who it says it does.
Last week, online security experts say, that trust was violated. An reseller affiliate registration authority of certificates from Comodo, one of the largest certificate authorities on the Internet, was hacked, and an attacker became able to impersonate Google, GMail, Yahoo!, Skype, and addons.mozilla.com, in certain circumstances. Comodo says it caught the action quickly and there's no evidence that the attacker was able to gain anything from its actions. But "there's no evidence" is different from "it didn't happen."
Comodo believes this latest attack originated in Iran, and that it was likely an action by the Iranian government. In that case it was most likely to be problematic for activists inside Iran, where traffic passes through computers controlled by the state, and not likely to be problematic for anyone anywhere else. (Though it could have been. See the EFF's explanation.) But there isn't concrete evidence that's the case. It could just be a really good hacker leaving a false trail, and this attack might have no consequence other than to show a core problem with the integrity of HTTPS itself. That alone is more of a big deal than it would have been a year ago, given that HTTPS has become the go-to means of providing communications security for activists around the world. The Wall Street Journal has an article on this incident, although CNET's is more technical and detailed.
Internet security activists like Jacob Appelbaum, who is widely credited with blowing the lid off of a vulnerability that otherwise may not have been made public, and Steve Schultze, are also good reads on this for a more technical and well-informed take. It's long been known that certificate authorities are not as secure as they should be.