The real security issue behind the Comodo hack II
Ninety-nine percent of the world has no idea what a digital certificate is, how PKI works, or more important, what a digital certificate error means for their immediate computer security. I’ve been in many businesses that wholesale ignored or weren’t bothered by digital certificate errors. I remember working with one very large client when Internet Explorer 7 came out along with Windows Vista; the company got mad at Microsoft (my full-time employer) for flagging “all these revoked certificates.” The client had tens of thousands of them.
Within a few minutes, I was able to tell the client that its certificates had been revoked for months; it’s just that early versions of Windows and Internet Explorer didn’t check or warn as much about revoked certificates. Instead of reissuing certificates, which was what I expected, the client (I’m not making this up) decided to switch to Firefox, because Firefox had no problem with those certificates.
In the middle of my complaining about the inappropriate solution, Firefox underwent a major upgrade — and the new version also alerted the client to the revoked certificates. The client’s solution was still not to fix the problem but instead to disable revocation checking in Internet Explorer. When I explained that a revoked certificate was to be treated the same as a malicious certificate, they patted me on the head and sent me on my way.
Traveling, I watch people in airports and in hotels, where almost every site causes some sort of digital certificate error. Today, most browsers unequivocally spell out what accepting the invalid certificate means, saying something like, “Accepting this digital certificate could allow other to see your information or send you to a fraudulent Web site.” I’ve never seen a person who didn’t bypass the error and continue using the bad digital certificate.
I love PKI, crypto, and the absolute safety built into the math. PKI and digital certificates work, for the most part, the way the designers envisioned. In almost two decades of use, I can count the number of fraudulently issued certificates on two hands — out of hundreds of millions or billions issued. PKI succeeds, but overall, when you factor in human behavior, it fails miserably. That’s been a tough lesson to learn and a hard truth to swallow.
Although it’s not good that Comodo was involved in issuing fraudulent certificates, the hack is nowhere near my list of top 10 things I’m worried about on a daily basis. So far, these fraudulent certs have been used only a handful of times, but tens of thousands of people are compromised by a fake antivirus program warning every day. I wish the big problems that affect the most people got the headlines and emotional concern that Comodo has garnered. It’s sort of like how we don’t pay our top scientists nearly as much as our top rock bands and movie stars.
Comments are closed.