Has ComodoHacker signalled the end of the CA system?

The CA system has come under fire after ComodoHacker causes carnage, but what is the alternative?

ANALYSIS A certain pesky web denizen known as ComodoHacker has been causing a commotion recently.

Last week, he/she claimed a hack on Certificate Authority (CA) DigiNotar, resulting in over 500 fake website certificates being issued for big-time services including Gmail and an MI6 website.

Then Belgian CA GlobalSign stopped issuing authentication certificates after ComodoHacker claimed to have gained access to its servers. They also claimed to have broken into three other certificate authorities outside of GlobalSign and DigiNotar.

The hacker has also threatened to use the fraudulent certificates to carry out man in the middle attacks on organisations in Europe, Israel and the US.

I don't know if this is fixable at all, short of worldwide social changes.

Earlier in the year, another CA known as Comodo was hacked. Can you guess where ComodoHacker got their name?

Outside of the significant cyber war implications, with some saying the DigiNotar hack will have wider connotations than Stuxnet, ComodoHacker has again thrown the whole CA system's credibility into doubt.

Time for a change

There's little doubt something needs to change. It no longer seems sensible to carry on placing all our trust in over 650 CAs, with whom the end user never has any direct contact. They are an invisible force and, in some cases, a weak one. Given their whole business is based on trust, the CAs themselves will be feeling more than tetchy about the current situation.

There are many pertinent questions that need to be asked about the security of the CA system.

"How many of them do you know, let alone trust? Should you trust a state-owned CA more than a commercial concern, or should you trust in market forces and vested interests to override political expediency? Where is the global authority with the mandate and the impartiality to authenticate all those CAs? Who would authenticate the authenticators?" said David Harley, senior research fellow at ESET.

"The problems aren't so much with the technicalities of SSL, as with the difficulties of implementing a system that assumes trust in the provider without a realistic mechanism for determining where you can safely invest that trust."

Harley wasn't sure if the system could be fixed at all. We may be stuck with a flawed framework forever.

"I don't know if this is fixable at all, short of worldwide social changes on the scale of an accelerated continental drift (but in reverse). We've arbitrarily decided to invest trust in CAs, and the opportunities for withdrawing that trust (at any rate without the cooperation of the CAs) are severely restricted (i.e. to take it or leave it)," he told IT Pro.

Featured Resources

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Evaluate your order-to-cash process

15 recommended metrics to benchmark your O2C operations

Download now

AI 360: Hold, fold, or double down?

How AI can benefit your business

Download now

Getting started with Azure Red Hat OpenShift

A developer’s guide to improving application building and deployment capabilities

Download now

Most Popular

IT retailer faces €10.4m GDPR fine for employee surveillance
General Data Protection Regulation (GDPR)

IT retailer faces €10.4m GDPR fine for employee surveillance

18 Jan 2021
Citrix buys Slack competitor Wrike in record $2.25bn deal

Citrix buys Slack competitor Wrike in record $2.25bn deal

19 Jan 2021
Should IT departments call time on WhatsApp?

Should IT departments call time on WhatsApp?

15 Jan 2021