By Dave Gibson of Deep Blue
What looks like your email, but may not actually be your email? Possibly a sophisticated fake created by the Iranian government to monitor your communication; so sophisticated in fact that those providing the perfect mock-up of your email are using a valid SSL certificate. This gives your browser the impression that the page is authentic, in the most recent case masquerading as a legitimate Google service, and bypassing any warning that you could normally expect when visiting a fraudulent page.
This is not the first time such a sophisticated ruse has been used to target communications, from emails to instant messenger programs. Such occurrences are known by the sinister name ‘man-in-the-middle’ attacks, where an invisible third-party can eavesdrop sensitive information. This time, the security breach is so serious that Google and Mozilla have taken the unprecedented step of temporarily blocking any websites with certificates issued by DigiNotar, the Dutch Certificate Authority who’s encryption has been used.
Okay, so most of us aren’t being monitored by despotic regimes, in fact even if the UK Security Services were spying on our Skype messaging, they might find out little more than our thoughts on the new Blade Runner movie, right? I mean, MI5 have got their work cut out with hunting terrorists, honey-trapping student protesters and replacing laptops they lost on their morning commute, why would they be interested in me?
Well, the problem is that not all hackers are in the pay of over-officious bureaucracies with more money than sense. More active in their misuse of your data are professional tech-savvy fraudsters, such as those who committed a similar attack on PayPal a few years ago. SSL certification, at the forefront of web security for nearly two decades, is an obvious target for cyber-criminals.
The most disturbing thing is the lag between the misuse of a certificate and removing the threat it creates. The newly discovered fake certificate is thought to have been created several weeks ago and the PayPal attack took Microsoft months to resolve. One web security expert stated that the only thing notable about the most recent security lapse is “that anyone noticed.“
There is clearly something of a serious market failure here, with concerns about the accountability of many companies like DigiNotar who are entrusted with such a fundamentally essential aspect of web security. That after so many years of use, Certification Authorities [CAs]lack such accountability suggests governments are far from on top of this issue. Others fear government-owned CAs are already exploiting the false sense of security SSL provides by creating their own near-seamless fakes to spy on their citizens. The Chinese authorities are known to issue their own SSL certificates and nothing can stop them issuing ones claiming to be Google+ or Yahoo Mail.
Given the failures of the UK authorities in dealing with the comparatively prehistoric issue of phone-hacking, it would be very unwise to put faith in state-driven solutions, yet there is hope for a private-sector solution. That some web-browsers are now blocking every website certified by DigiNotar is a drastic measure given so many legitimate websites will also be hit, yet it shows a markedly serious response to security fears. Perhaps they are trying to avoid the harm to market share Microsoft has suffered from security concerns expressed in the old joke that Internet Explorer should not be used in “hostile environments such as the Internet”. The problem is to find a way that web-browsers, CA clientele and you and I can verify the integrity of the CAs themselves.
In the meantime, we are all insecure in a discredited web security regime which is as deceptively integral as Doctor Who’s psychic paper. The only comfort can be that now CAs are being directly punished for security lapses, accountability may finally emerge from within the market. If you’re a political dissidents targeted by the most recently discovered lapse, however, you are left with an urgent question : who exactly are you talking to?