Trusting Trusted CAs
Like it or not, the basis of trust for much of the Internet is based on Certificate Authorities (CA). Companies like Verisign, GoDaddy, and GeoTrust are in the trust business. They will sell you cryptographic proof of your Internet assets (namely your domain name) that others can use to verify that when they visit your website that they are actually visiting your website and not some lookalike website. This is important as you don’t want to give your login credentials to your bank account to a lookalike web page that really isn’t your bank.
The trouble is, how do you know the CAs are doing their due diligence and not just issuing certificates to people who just claim to own a particular domain name? Well, I’m not sure we do know, as users. Mozilla, like other web browsers, has a policy for including CAs in their browser product but a quick look at the list of CAs that are already in Firefox shows that we as users probably can’t go behind and verify them all.
If I were a conspiracy theorist I would be looking real hard at what the Electronic Freedom Foundation (EFF) recently released about the NSA spying program. According to their research (and that of the Guardian and others) the NSA is actively performing man-in-the-middle attacks (MITM) to get malware into computers. This malware allows the NSA (and anyone else capable of accessing these infected computers) to circumvent protections put in place to keep information passed over the Internet secure. To do these MITM attacks one would need to provide users with a valid SSL certificate if they happen to be visiting a site that is supposed to be secured. The only way of doing this is to either obtain the SSL certificates from the real sites or to create their own and have them trusted by a trusted CA. With that in mind, I wonder which option is more probable?
It’s good to note that these types of attacks are not solely done by the NSA. Gaining access to computers is a very profitable business and one that people other than governments can do. It’s important to protect yourself against these attacks and be smart when surfing the Internet. The end of the EFF story contains information on how to protect your computer (and yourself) and is a good read for everyone.
Sparks' Open Source and Security Journal by Eric "Sparks" Christensen is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
Permissions beyond the scope of this license may be available at https://sparkslinux.wordpress.com/license/.