Why Security Company Security is Critical

What happens when the Certificate Authority companies get hacked?

Well, depends on who’s doing it.

If it’s a security researcher proving that MD5 is broken by creating a rogue Certificate Authority as was presented several years ago at the 25th Chaos Communications Congress (25CCC:http://www.phreedom.org/research/rogue-ca/) in Berlin, it’s a wake up call to fix it before the criminals start the attacks.

But if it’s Iran, nothing good. If it’s RBN, nothing good. They get to create legitimate looking secure websites until someone smart enough, like Jacob Appelbaum, one of the presenters of the rogue CA at 25CCC, to see the fake despite PKI technology validating authenticity.

Comodo’s lapse (http://kohi10.wordpress.com/2011/03/23/comodo-warns-of-serious-ssl-cert-breach/) was recently cleaned up after a security researcher detected fake certificates despite being signed by a trusted root CA. Now they’ve been hacked again. At least Comodo’s CTO, Robin Alden, has fessed up.

http://www.eweek.com/c/a/Security/Comodo-Inspires-No-Confidence-as-Hacker-Compromises-Two-More-Accounts-454549/

“The Iranian hacker that managed to trick Comodo into issuing nine fraudulent certificates appear [sic] to have compromised two more registration authority accounts, raising questions of what exactly is going on at the certificate authority.”

At stake are: the security of our banking sites, e-comm, VPN, Secure wireless, signed code and many other business systems that depend on trust. Shoot… as one of the above blog entry stated, the underlying integrity of the internet as a platform for business or any other function requiring trust is put in doubt.

What can be done? First off, a review by the browser vendors or some authority is needed that can revoke a CA’s right to exist if they prove unworthy of that trust. Secondly, critical software that depends on certificates’ chain of trust being certified by the correct CA needs to be configurable to allow only that CA to establish the trust. Other detection mechanisms are needed as well. Perhaps real business sites should track back to referrer sites and snoop around. Perhaps the search engine companies in their web crawling should if not already be detecting anomalies in secure sites’ trusted root CA signer.