Trusting Trusted CAs

Wed 09 October 2013

Like it or not, the basis of trust for much of the Internet is based on Certificate Authorities (CA).  Companies like Verisign, GoDaddy, and GeoTrust are in the trust business.  They will sell you cryptographic proof of your Internet assets (namely your domain name) that others can use to verify that when they visit your website that they are actually visiting yourwebsite and not some lookalike website.  This is important as you don't want to give your login credentials to your bank account to a lookalike web page that really isn't your bank.

The trouble is, how do you know the CAs are doing their due diligence and not just issuing certificates to people who just claim to own a particular domain name?  Well, I'm not sure we do know, as users. Mozilla, like other web browsers, has a policy for including CAs in their browser product but a quick look at the list of CAs that are already in Firefox shows that we as users probably can't go behind and verify them all.

If I were a conspiracy theorist I would be looking real hard at what the Electronic Freedom Foundation (EFF) recently released about the NSA spying program. According to their research (and that of the Guardian and others) the NSA is actively performing man-in-the-middle attacks (MITM) to get malware into computers.  This malware allows the NSA (and anyone else capable of accessing these infected computers) to circumvent protections put in place to keep information passed over the Internet secure.  To do these MITM attacks one would need to provide users with a valid SSL certificate if they happen to be visiting a site that is supposed to be secured.  The only way of doing this is to either obtain the SSL certificates from the real sites or to create their own and have them trusted by a trusted CA.  With that in mind, I wonder which option is more probable?

It's good to note that these types of attacks are not solely done by the NSA.  Gaining access to computers is a very profitable business and one that people other than governments can do.  It's important to protect yourself against these attacks and be smart when surfing the Internet. The end of the EFF story contains information on how to protect your computer (and yourself) and is a good read for everyone.

By Sparks, Category: Information Security

Tags: CA / certificate authority / NSA / spying / SSL / TLS / trust / Encryption / Integrity / Privacy /

Other articles

Lawmakers of both parties voice doubts about NSA surveillance programs

Wed 17 July 2013

Lawmakers of both parties voice doubts about NSA surveillance programs

I'm happy to read the Washington Post story discussing the House committee's hearing on the NSA's domestic spying programs.  It's encouraging that both parties aren't happy with the programs and that "...there are not enough votes in the House now …

By Sparks, Category: Information Security

Continue reading …

The Guardian: I'd pay more for tech products with greater privacy from surveillance

Wed 26 June 2013

The Guardian: I'd pay more for tech products with greater privacy from surveillance

I thought this was a fantastic article.  It skims over the fact that if you aren't paying for a service then you are probably the product being sold.  Google, Facebook, and many other companies make billions of …

By Sparks, Category: Information Security

Continue reading …