Subscribe:

Monday, 13 June 2011

How is SSL desperately out of order?

The analysis in each year or so, the crisis, has become fractures in the system to function as the foundation of the Internet to publish three deep trust.

In 2008, SSL is a devastating weakness, the Secure, VeriSign certificate was issued by subsidiaries. The following year, more than two months after the basic weakness in Internet Explorer it was published, Chrome and Safari Minting was qualified to continue to fool the browser product.


And in 2010, the mystery of the root certificate, Security RSA will ultimately remain unresolved for four days to go until her father accepted the credentials of the orphans Mac OS X and Mozilla's software is included.
This year, it was hackers unknown, Komodo, to break into the server of reseller or certification authority that is used most widely in the world, Google documents for websites and other important mail counterfeits, the revelation last month. This means that had been Fraud several conversations on the web most intimate one at that time users of these browsers, counterfeit goods, Chrome Google is, Mozilla Firefox is blacklisted using each of the two IE took 7 and 8.

SSL provides encryption, electronic commerce and other confidential, as a way to secure Internet communications, made its debut in 1994. In the heart of the system, the private key, web publishers, the rightful owner of the domain to which visitors access the user's connection is not hacking, you can prove fraud. Countless Web sites to prevent people who can monitor the traffic that passes between the two parties, passwords, and encrypt e-mail and other data using SSL Certificate.

This is to exaggerate the difficulty Google is reliability, product, Microsoft, and SSL websites operated by Bank of America where millions of other companies. Moreover, repeated failures, it was suggested that the system is hopelessly broken in its current state.


"Right now, it's just an illusion of security" is a fine Marlinspike repeatedly poked holes in the SSL's technology foundation, security researchers said."Depending on what you think is a threat; you can basically trust them at different levels, which have a fairly serious problem."


SSL has been concerned about the vulnerability of the critics, Comodo, VeriSign, Go Daddy Book review biting best for the business practices of the certification authority called the other for short, CA is known. The root certificate, Internet Explorer, Firefox and included in other major browsers, they can be removed without creating confusion in the vast belt of the Internet.


In that sense, the U.S. government for its decision, they Citigroup received several multi-billion dollar bailout from tax payers and American International Group, is like any other investment companies "too big to fail.


"SSL's current security is dependent on external entities for these reasons are there for us to trust them," said Marlinspike. "They do not have a strong incentive to work because it is not responsible.


In December the same year, Comodo agency, the researchers were affiliated with other open source software outfit that issued the certificate Mozilla.com no questions asked as well.


Please come just sloppily report issued certificates. Last week, an analyst at the Electronic Frontier Foundation, CA is "local host", "exchange" and "Exchange01, such as more than 37,000 so-called qualified domain names to ensure that the SSL certificate issue."These are added to your domain and many organizations have found a prefix used to specify the Microsoft Exchange server and other internal resources.


Go Daddy has, but it was the worst offender, another CA, but was found guilty, in fact, that attention to helping the attackers targeted a large number of corporate intranets and mail servers, Chris Palmer said EFF said.


"The signature 'local host' is a humorous, CA, to create a real risk that they sign the names of other qualified," said Palmer wrote. The attacker E or webmail names, such as CA when it is possible to receive a signed certificate do? Such attacks are completely 'in man in the in the middle attack, webmail organization will be able to spoof the identity of the server! "

Darwin market is really an actor can reject the user with uneven results. But it is impossible in the world of SSL. Large CA and responsibility to verify the millions of certificates that were issued previously, the manufacturer of the browser, without breaking the site to buy them, to remove the root certificate from their software.


As a result, almost all browsers, despite the gaffe, Comodo, VeriSign's unbridled confidence, CA continues to another place. Also, because it is controlled by the Chinese government's Ministry of Information Industry, to approve the certificate produced by the China Internet Network Information Center claims that not a lot of confidence. China has accused guilty of hacking a huge campaign against it and dozens of other even Google, to trust the VeriSign SSL Certificate, can the Chrome browser.

No comments:

Post a Comment