Has ComodoHacker signalled the end of the CA system?

The CA system has come under fire after ComodoHacker causes carnage, but what is the alternative?

ANALYSIS A certain pesky web denizen known as ComodoHacker has been causing a commotion recently.

Last week, he/she claimed a hack on Certificate Authority (CA) DigiNotar, resulting in over 500 fake website certificates being issued for big-time services including Gmail and an MI6 website.

Then Belgian CA GlobalSign stopped issuing authentication certificates after ComodoHacker claimed to have gained access to its servers. They also claimed to have broken into three other certificate authorities outside of GlobalSign and DigiNotar.

Advertisement - Article continues below

The hacker has also threatened to use the fraudulent certificates to carry out man in the middle attacks on organisations in Europe, Israel and the US.

I don't know if this is fixable at all, short of worldwide social changes.

Earlier in the year, another CA known as Comodo was hacked. Can you guess where ComodoHacker got their name?

Outside of the significant cyber war implications, with some saying the DigiNotar hack will have wider connotations than Stuxnet, ComodoHacker has again thrown the whole CA system's credibility into doubt.

Time for a change

There's little doubt something needs to change. It no longer seems sensible to carry on placing all our trust in over 650 CAs, with whom the end user never has any direct contact. They are an invisible force and, in some cases, a weak one. Given their whole business is based on trust, the CAs themselves will be feeling more than tetchy about the current situation.

Advertisement - Article continues below
Advertisement - Article continues below

There are many pertinent questions that need to be asked about the security of the CA system.

"How many of them do you know, let alone trust? Should you trust a state-owned CA more than a commercial concern, or should you trust in market forces and vested interests to override political expediency? Where is the global authority with the mandate and the impartiality to authenticate all those CAs? Who would authenticate the authenticators?" said David Harley, senior research fellow at ESET.

"The problems aren't so much with the technicalities of SSL, as with the difficulties of implementing a system that assumes trust in the provider without a realistic mechanism for determining where you can safely invest that trust."

Harley wasn't sure if the system could be fixed at all. We may be stuck with a flawed framework forever.

"I don't know if this is fixable at all, short of worldwide social changes on the scale of an accelerated continental drift (but in reverse). We've arbitrarily decided to invest trust in CAs, and the opportunities for withdrawing that trust (at any rate without the cooperation of the CAs) are severely restricted (i.e. to take it or leave it)," he told IT Pro.

Featured Resources

The case for a marketing content hub

Transform your digital marketing to deliver customer expectations

Download now

Fast, flexible and compliant e-signatures for global businesses

Be at the forefront of digital transformation with electronic signatures

Download now

Why CEOS should care about the move to SAP S/4HANA

And how they can accelerate business value

Download now

IT faces new security challenges in the wake of COVID-19

Beat the crisis by learning how to secure your network

Download now

Most Popular


Apple confirms serious bugs in iOS 13.5

4 Jun 2020

The UK looks to Japan and South Korea for 5G equipment

4 Jun 2020

Tycoon ransomware discovered using Java image files to target software firms

5 Jun 2020