IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Has ComodoHacker signalled the end of the CA system?

The CA system has come under fire after ComodoHacker causes carnage, but what is the alternative?

ANALYSIS A certain pesky web denizen known as ComodoHacker has been causing a commotion recently.

Last week, he/she claimed a hack on Certificate Authority (CA) DigiNotar, resulting in over 500 fake website certificates being issued for big-time services including Gmail and an MI6 website.

Then Belgian CA GlobalSign stopped issuing authentication certificates after ComodoHacker claimed to have gained access to its servers. They also claimed to have broken into three other certificate authorities outside of GlobalSign and DigiNotar.

The hacker has also threatened to use the fraudulent certificates to carry out man in the middle attacks on organisations in Europe, Israel and the US.

I don't know if this is fixable at all, short of worldwide social changes.

Earlier in the year, another CA known as Comodo was hacked. Can you guess where ComodoHacker got their name?

Outside of the significant cyber war implications, with some saying the DigiNotar hack will have wider connotations than Stuxnet, ComodoHacker has again thrown the whole CA system's credibility into doubt.

Time for a change

There's little doubt something needs to change. It no longer seems sensible to carry on placing all our trust in over 650 CAs, with whom the end user never has any direct contact. They are an invisible force and, in some cases, a weak one. Given their whole business is based on trust, the CAs themselves will be feeling more than tetchy about the current situation.

There are many pertinent questions that need to be asked about the security of the CA system.

"How many of them do you know, let alone trust? Should you trust a state-owned CA more than a commercial concern, or should you trust in market forces and vested interests to override political expediency? Where is the global authority with the mandate and the impartiality to authenticate all those CAs? Who would authenticate the authenticators?" said David Harley, senior research fellow at ESET.

"The problems aren't so much with the technicalities of SSL, as with the difficulties of implementing a system that assumes trust in the provider without a realistic mechanism for determining where you can safely invest that trust."

Harley wasn't sure if the system could be fixed at all. We may be stuck with a flawed framework forever.

"I don't know if this is fixable at all, short of worldwide social changes on the scale of an accelerated continental drift (but in reverse). We've arbitrarily decided to invest trust in CAs, and the opportunities for withdrawing that trust (at any rate without the cooperation of the CAs) are severely restricted (i.e. to take it or leave it)," he told IT Pro.

Featured Resources

The Total Economic Impact™ Of Turbonomic Application Resource Management for IBM Cloud® Paks

Business benefits and cost savings enabled by IBM Turbonomic Application Resource Management

Free Download

The Total Economic Impact™ of IBM Watson Assistant

Cost savings and business benefits enabled by Watson Assistant

Free Download

The field guide to application modernisation

Moving forward with your enterprise application portfolio

Free Download

AI for customer service

Discover the industry-leading AI platform that customers and employees want to use

Free Download

Recommended

North Korean-linked Gmail spyware 'SHARPEXT' harvesting sensitive email content
Security

North Korean-linked Gmail spyware 'SHARPEXT' harvesting sensitive email content

4 Aug 2022
Gmail vs Outlook.com: Which one is better?
email providers

Gmail vs Outlook.com: Which one is better?

13 Jul 2022
How to delete a Gmail account
email providers

How to delete a Gmail account

15 Jun 2022
How to share your Google Calendar
email providers

How to share your Google Calendar

11 Feb 2022

Most Popular

Apple patches 'superpower' zero-days affecting iPhones, iPads, and Macs
zero-day exploit

Apple patches 'superpower' zero-days affecting iPhones, iPads, and Macs

18 Aug 2022
Why convenience is the biggest threat to your security
Sponsored

Why convenience is the biggest threat to your security

8 Aug 2022
Google is now spending a staggering amount on blockchain
Business strategy

Google is now spending a staggering amount on blockchain

17 Aug 2022