Apple, Facebook, Fire Fox, MCITP, MCSE 2008, MCTS, Microsoft, Phone, Tech, Uncategorized, Windows 7

The real security issue behind the Comodo hack I

Posted on Author admin

News of an Iranian hacker duping certification authority Comodo into issuing digital certificates to one or more unauthorized parties has caused an uproar in the IT community, moving some critics to call for Microsoft and Mozilla to remove Comodo as a trusted root certification authority from the systems under their control. Though the hacker managed his feat by first compromising a site containing a hard-coded logon name and password, then generating certificates for several well-known sites, including Google, Live.com, Skype, and Yahoo, I’m not bothered by the technical issue. Instead, my main concern over Public Key Infrastructure (PKI) and digital certification is that users don’t understand it.

 

Best Microsoft MCTS Certification – Microsoft MCITP Trainng at Certkingdom.com


For the most part, people don’t care about digital certificates and the security they could provide. I have a hard time getting worked up about a system error that 99 percent of users simply ignore.

[ Master your security with InfoWorld’s interactive Security iGuide. | Stay up to date on the latest security developments with InfoWorld’s Security Central newsletter. | Get a dose of daily computer security news by following Roger Grimes on Twitter. ]

PKI is not the culprit
First, I should point out that the PKI system didn’t fail, at least after the compromise. The designers of PKI realized from the very beginning that fraudulently issued certificates were a fact of life. They invented revocation for it. When the fraudulent activity was noticed, the major involved vendors revoked the certificates and issued security updates inform of the revocation. Security advisories were sent out and the worldwide news picked it up.

In short, the Comodo hacker did something that has been carried off and in all likelihood will happen again. He didn’t accomplish anything significant such as invalidating the math or crypto algorithms relied upon by the world’s PKI subsystems. The latter issue would be far more unsettling.

Blissful ignorance
I’d be more concerned about this incident if people actually paid attention to digital certificate errors. However, study after study shows that most people simply ignore such warnings and move around them. I remember a study a few years ago that showed that the more one knows about digital certificates, the more likely one is to ignore certificate errors.

Click to rate this post!
[Total: 0 Average: 0]

Author: admin

Hi I educated in the U.K. with working experienced for 18 years in multinational companies, As an IT Manager and IT Instructor, I am attached with certkingdom.com here they provide IT exams study material, the study materials included exams Q&A with Explanation, Study Guides, Training Labs, Exams Simulations, Training Videos, etc. for certification like MCSE 2003 Training, MCITP Training, http://www.certkingdom.com, CCNA exams preparation, CompTIA A+ Training, and more Certkingdom.com provide you the best training 100% guarantee. “Best Material Great Results”

Leave a Reply

Your email address will not be published. Required fields are marked *