The real security issue behind the Comodo hack I
News of an Iranian hacker duping certification authority Comodo into issuing digital certificates to one or more unauthorized parties has caused an uproar in the IT community, moving some critics to call for Microsoft and Mozilla to remove Comodo as a trusted root certification authority from the systems under their control. Though the hacker managed his feat by first compromising a site containing a hard-coded logon name and password, then generating certificates for several well-known sites, including Google, Live.com, Skype, and Yahoo, I’m not bothered by the technical issue. Instead, my main concern over Public Key Infrastructure (PKI) and digital certification is that users don’t understand it.
For the most part, people don’t care about digital certificates and the security they could provide. I have a hard time getting worked up about a system error that 99 percent of users simply ignore.
[ Master your security with InfoWorld’s interactive Security iGuide. | Stay up to date on the latest security developments with InfoWorld’s Security Central newsletter. | Get a dose of daily computer security news by following Roger Grimes on Twitter. ]
PKI is not the culprit
First, I should point out that the PKI system didn’t fail, at least after the compromise. The designers of PKI realized from the very beginning that fraudulently issued certificates were a fact of life. They invented revocation for it. When the fraudulent activity was noticed, the major involved vendors revoked the certificates and issued security updates inform of the revocation. Security advisories were sent out and the worldwide news picked it up.
In short, the Comodo hacker did something that has been carried off and in all likelihood will happen again. He didn’t accomplish anything significant such as invalidating the math or crypto algorithms relied upon by the world’s PKI subsystems. The latter issue would be far more unsettling.
I’d be more concerned about this incident if people actually paid attention to digital certificate errors. However, study after study shows that most people simply ignore such warnings and move around them. I remember a study a few years ago that showed that the more one knows about digital certificates, the more likely one is to ignore certificate errors.
Comments are closed.