Friday, September 09, 2011

Security and the Diginotar debacle

You might have been following the trouble that the Dutch SSL-certificate issuing firm Diginotar have been suffering recently. It transpires that Iranian hackers have got into their system and have spent several months issuing themselves wildcard certs for well known domains, most notably * - it essentially means these ne'er-do-wells can sign certificates that look like they have come from Google and your browser would be none the wiser. In fact it's not that severe unless you've been the victim of another attack;
  • Man-in-the-middle attack - you might be in a coffee shop where someone has managed to poison the ARP-table in the router and inserted themselves into your wireless comms. If they served up the fraudulent cert they could make any domain (especially there own server) look like you were securely connected to.
  • DNS-poisoning attack - as highlighted by Dan Kaminsky a couple of years ago it is possible to for elderly versions of BIND and more contemporary versions of IIS to incorrectly serve up DNS look-ups. Once this is in place the fraudulent cert on the same server would have you believing you had a secure connection.
  • Corporate decrypting proxies; many corporations install their own certificate on all client machines and essentially do a man-in-the-middle SSL intercept. Your traffic to is encrypted, but it goes via the proxy where it is momentarily decrypted for your boss to look at! If a corporate proxy was compromised dodgy SSL certificates could have you believing you had an encrypted connection to Amazon.
All of this raises issues with SSL - when I first started using an SSL browser (Netscape Navigator v.2 IIRC in '95!) there were around seven or eight trusted issuing CAs. Now there are hundreds (including the Hong Kong Post Office!) and it comes as no surprise that some of them get compromised sometimes. What I don't understand is why browsers don't keep a record of the CA associated with domains and when they see a change (particularly if a cert had time to run) inform the user? There is a plugin I use for Firefox called "Certificate Patrol" that does just that and it's easy to use and unobtrusive.
Now then - the whole Diginotar story started three months ago and they didn't spill the beans until last week; security is never served by secrecy. Also - it took Apple far to long to patch Safari. I think if you're concerned about network security then avoid Safari on OS-X.

No comments: