Has ComodoHacker signalled the end of the CA system?

News 9 Sep, 2011

The CA system has come under fire after ComodoHacker causes carnage, but what is the alternative?

ANALYSIS A certain pesky web denizen known as ComodoHacker has been causing a commotion recently.

Last week, he/she claimed a hack on Certificate Authority (CA) DigiNotar, resulting in over 500 fake website certificates being issued for big-time services including Gmail and an MI6 website.

Then Belgian CA GlobalSign stopped issuing authentication certificates after ComodoHacker claimed to have gained access to its servers. They also claimed to have broken into three other certificate authorities outside of GlobalSign and DigiNotar.

The hacker has also threatened to use the fraudulent certificates to carry out man in the middle attacks on organisations in Europe, Israel and the US.

I don’t know if this is fixable at all, short of worldwide social changes.

Earlier in the year, another CA known as Comodo was hacked. Can you guess where ComodoHacker got their name?

Outside of the significant cyber war implications, with some saying the DigiNotar hack will have wider connotations than Stuxnet, ComodoHacker has again thrown the whole CA system’s credibility into doubt.

Time for a change

There’s little doubt something needs to change. It no longer seems sensible to carry on placing all our trust in over 650 CAs, with whom the end user never has any direct contact. They are an invisible force and, in some cases, a weak one. Given their whole business is based on trust, the CAs themselves will be feeling more than tetchy about the current situation.

There are many pertinent questions that need to be asked about the security of the CA system.

“How many of them do you know, let alone trust? Should you trust a state-owned CA more than a commercial concern, or should you trust in market forces and vested interests to override political expediency? Where is the global authority with the mandate and the impartiality to authenticate all those CAs? Who would authenticate the authenticators?” said David Harley, senior research fellow at ESET.

“The problems aren’t so much with the technicalities of SSL, as with the difficulties of implementing a system that assumes trust in the provider without a realistic mechanism for determining where you can safely invest that trust.”

Harley wasn’t sure if the system could be fixed at all. We may be stuck with a flawed framework forever.

“I don’t know if this is fixable at all, short of worldwide social changes on the scale of an accelerated continental drift (but in reverse). We’ve arbitrarily decided to invest trust in CAs, and the opportunities for withdrawing that trust (at any rate without the cooperation of the CAs) are severely restricted (i.e. to take it or leave it),” he told IT Pro.