Like it or not, the basis of trust for much of the Internet is based on
Certificate Authorities (CA). Companies like Verisign, GoDaddy, and
GeoTrust are in the trust business. They will sell you cryptographic
proof of your Internet assets (namely your domain name) that others can
use to verify that when they visit your website that they are actually
visiting yourwebsite and not some lookalike website. This is
important as you don't want to give your login credentials to your bank
account to a lookalike web page that really isn't your bank.
The trouble is, how do you know the CAs are doing their due diligence
and not just issuing certificates to people who just claim to own a
name? Well, I'm not
sure we do know, as users.
other web browsers, has a policy for including
their browser product but a quick look at the list of CAs that are
shows that we as users probably can't go behind and verify them all.
If I were a conspiracy theorist I would be looking real hard at what the
Electronic Freedom Foundation (EFF) recently
released about the NSA spying
According to their research (and that of the Guardian and others) the
NSA is actively performing man-in-the-middle
(MITM) to get malware into computers. This malware allows the NSA (and
anyone else capable of accessing these infected computers) to circumvent
protections put in place to keep information passed over the Internet
secure. To do these MITM attacks one would need to provide users with a
valid SSL certificate if they happen to be visiting a site that is
supposed to be secured. The only way of doing this is to either obtain
the SSL certificates from the real sites or to create their own and have
them trusted by a trusted CA. With that in mind, I wonder which option
is more probable?
It's good to note that these types of attacks are not solely done by the
NSA. Gaining access to computers is a very profitable business and one
that people other than governments can do. It's important to protect
yourself against these attacks and be smart when surfing the Internet.
The end of the EFF
contains information on how to protect your computer (and yourself) and
is a good read for everyone.