Trust in the Internet falters after DigiNotar, Comodo hacked

September 28th, 2011

The keepers of the Internet have become acutely concerned about the Web’s core trustworthiness.

A hacker cracked into digital certificate supplier DigiNotar this summer and began issuing forged digital certificates for hundreds of web pages published by dozens of marquee companies.

Unable to cope with the fallout, the Dutch firm, a division of Vasco, filed for bankruptcy on 20Sept2011 and abruptly closed up shop. Two other digital certificate companies — New Jersey-based Comodo and Japanese-owned GlobalSign — were similarly hacked this summer, exposing a glaring weakness in the Internet’s underpinnings, security analysts say.

Sutton

“The infrastructure baked into the Internet, which is based on trust, is starting to fall apart,” says Michael Sutton, research vice-president at security firm Zscaler. “If somebody can issue faked digital certificates, it throws the entire process into chaos.”

The hacked firms are among more than 650 certificate authorities, or CAs, worldwide. CAs work behind the scenes with the five top web browsers — Microsoft’s Internet Explorer, Firefox, Opera, Apple’s Safari and Google’s Chrome — to assure the authenticity of web pages where consumers type in sensitive information, such as account logons, credit card numbers and personal data.

Digital certificates enable consumers to submit information that travels through an encrypted connection between the user’s web browser and a website server. The certificate assures the web page can be trusted as authentic. But the unprecedented attacks against CAs shows how fragile that trust can be.

Deep foothold

Upon gaining a foothold deep inside of DigiNotar’s systems, a counterfeiter was able to issue valid certificates for 531 faked pages, impersonating online properties of Google, Microsoft, Skype, Equifax, Twitter, Facebook, the CIA, among others, according to this report by consulting firm Fox-IT.

Shaul

This touched off a scramble to revoke bogus DigiNotar certificates and cut off the faked pages. Counterfeiting digital certificates isn’t trivial, says  Josh Shaul, chief technical officer at security firm AppSec.

“It takes a tremendous amount of planning and skillful execution to compromise a certificate authority,” says Shaul. “In other words, it’s a very expensive hack to pull off. For that reason, we won’t see wide spread compromise of CAs, however when the risk and costs are worth the reward, attackers with the means will not hesitate to act.”

Even so, the successful hacks demonstrated that it is possible to “impersonate any site on the Internet,” says  Shaul. “That’s like an Internet superpower, and like any superpower, it can be very dangerous in the wrong hands.”

The DigiNotar attack most likely was not aimed at carrying out garden-variety Web scams, says Mikko Hypponen, chief researcher at antivirus firm F-Secure. No banks or payment service websites were targeted, he says.

The hacker seemed much more interested in harvesting personal data from e-mail services, social networks, credit bureaus, blogging sites and anonymity services. The possible end game: espionage or political gain.

More  hacks likely

According to the Fox-IT report, the DigiNotar hacker issued 531 counterfeit digital certificates for web pages on google.com, android.com, microsoft.com, update.microsoft.com. login.live.com, login.yahoo.com, aol.com, wordpress.com, twitter.com, facebook.com, equifax.com and cia.gov, among other web domains.

Hypponen

The forged Google webpages were use to spy on some 300,000 Internet users in Iran. “We’ll likely see more attempts like this by the same attacker,” says Hypponen. “It’s good to note that many countries don’t have to resort to tactics like this in order to spy on their own people: if they have their own root CA, they can just issue the certificates they need themselves. There would be no need to hack a foreign CA.  The attacker claims he’s not directly involved with the Iranian government. He says he wants to help his government to catch people who are  ‘against Iranian government or Islam.’ ”

Roel Schouwenberg, senior researcher at Kaspersky Lab, shares similar concerns.  “I’m most concerned about disruption as a motive,” he says. “I’m talking about cyber-war but even more so about hacktivism.

“There’s not a whole lot which can be done here,” Schouwenberg continues. “There are many different angles in which disruption can be leveraged. There are no easy fixes – the trust model is broken and if someone’s only intent is to showcase that . . . well, nothing we can do currently.”

Google spokesman Jay Nancarrow noted that Google’s Chrome browser detected one of the faked certificates “that ultimately led to the revelation of the DigiNotar compromise.”

More hackproofing needed

The pressure is now on CAs worldwide to make themselves more hackproof. And for the browser makers to do more to identify and quickly eradicate counterfeit certificates and faked web pages, security experts say.

Symantec’s Michael Lin, Senior Director of Product Management, says the current system can be salvaged.

“We believe core SSL technology is perfectly viable,” says Lin. “The attacks have not demonstrated an ability to compromise the technology, they have attacked the infrastructure and practices around SSL.”

Symantec advises use of solidly trustworthy  CAs.  “In the market today, not all CA’s are created equal,” says Lin. “Customers who are protected with a CA should continue to transact online with confidence.”

Hudson

Even so, Jeff Hudson, CEO of digital certificate management firm Venafi, cautions that the hacks that unfolded this summer are just the beginning.

“Data is the new currency and cyber criminals have been trying to steal it since the beginning of the Internet,” say Hudson. “They’ll always target the most high-value target, like a CA responsible for establishing and validating trust on the web.”

Hudson says shoring up digital certificate authentication is “a huge issue with significant ramifications to business productivity and company brand. No one knows where the next breach will occur, or whether it will occur in a week or three months.”

Microsoft, maker of the world’s most widely used web browser, Internet Explorer, declined comment, as did Apple, maker of the Safari browser.

However, spokesmen for Mozilla, maker of the No. 2 Firefox browser, and Opera, a browser used widely in Europe and on cell phones, noted that steps are being taken to shore up the current system.

“The security of the Web is our collective responsibility,” says Johnathan Nightingale, Mozilla’s director of Firefox engineering. “To improve it, we need a continuing, and open, dialog supported by focused action.”

Adds  Opera’s Jan Standal, VP of  Desktop Product: “No system is perfect. The question is how to reduce the risk of compromise, and – -in case of a compromise — how to reduce the impact. In DigiNotar’s case, we need to uncover how they were compromised and how the impact got to be so widespread.”

–Byron Acohido