Will the website security certification system collapse?

When companies lost trust in website security certification from DigiNotar, it was inevitable that the firm would collapse.

The Dutch company filed for voluntary bankruptcy last month after it emerged that alleged Iranian hackers had accessed the firm’s systems and issued fraudulent certificates to a number of clients. Although DigiNotar had been aware of the breach in July, it was not publicised until September.

Few would disagree that this sluggish response, coupled with the rapidly disintegrating trust of major clients, merited DigiNotar’s fall.

Unfortunately, the knock on effect could be that companies and end users lost trust not just in security certificates from DigiNotar and other hacked authorities like Comodo, but in all certificate issuers. It is abundantly clear that hackers can target and penetrate the security systems of Certificate Authorities, and that doing so can mean throwing the doors to other websites wide open.

As a result, organisations and individuals will assume that sometimes SSL certificates – third party issued guarantees of authenticity, using cryptographic protocols – cannot be trusted.

On top of this, new research demonstrated at the ekoparty conference in Argentina has unearthed a vulnerability that allows attackers to decrypt web traffic currently protected by TLS/SSL encryption. Previous attacks have merely bypassed confidential encryption; this technique breaks it. Website authenticity appears to be under attack from all sides. So what value the system?

Following DigiNotar’s collapse, browser and product manufacturers have hurried to revoke trust in the Dutch company’s certificates. Revocation of trust is built into the security certification system – and it can quickly ruin a Certificate Authority. Confidence in issuers is what holds the system up.

At the consumer end, too, confidence is paramount. Millions of individuals depend on it every day to use the internet, happily assuming that the websites they visit are genuine and their data is not being stolen.

That confidence is becoming ever more fragile, and DigiNotar’s high-profile collapse could be a sign that we are reaching the tipping point.

A loss of user confidence in website authenticity would spell disaster for countless organisations. In an economic climate in which consumers are already cautious about spending their money, a drop of trust in e-tailers could knock huge holes in online spending.

Other sites depend on high traffic volumes to make adequate advertising revenue – if those figures drop by even small amounts then their negotiating power diminishes.

There are around 1600 intermediate Certificate Authorities. Browsers and major product manufacturers collate their own lists of trusted issuers, but there is no overriding standard. Poor user experience is widespread. A Certificate Authority is, in a sense, an outsourced arm of an organisation, and as such its own security impacts on that of its clients.

There is a clear requirement for a comprehensive examination of organisations’ go-to sources of security, with the untrustworthy ones removed or at least limited from the outset. Certificate Authorities need to not only be secure but also, critically, be seen to be secure.

The schemes that currently ensure the dependability of issuers are not providing the industry with the cohesive, transparent trust it needs – they are too fragmented.

Greater transparency throughout the security vetting processes applied to Certificate Authorities will help to rebuild the confidence we are in danger of losing. Any firm with an online presence should be demanding this now, as an insurance policy for the future.

SHARETweet about this on TwitterShare on LinkedInShare on FacebookShare on Google+Pin on PinterestDigg thisShare on RedditShare on TumblrShare on StumbleUponEmail this to someone

With over 25 years experience in IT, Paul Vlissidis is a recognised expert on all aspects of IT and Internet security. He heads technical research and new product development for the Ethical Security Testing division of NCC Group, Europe’s leading independent provider of IT security testing and assurance services. He previously held senior IT risk roles within the utilities (nuclear) industry. Paul is an experienced PCI QSA advising on technical and procedural security and risk management. He provides the technical lead for a large team of ethical hackers on projects with national and international corporations, several large merchants and service providers, public sector organisations, emergency services and local authorities, testing network security. He has security clearance under the government’s CESG CHECK and CTAS schemes, enabling him to work on some of the UK’s most sensitive and confidential testing projects, and is a founding member of the security testing industry body CREST (Council of Registered Ethical Security Testers).

  • Thank you for sharing this article on web security issues.

  • DigiNotar failed with their certificates and once again (on top of all the hacking a few months ago) made people unease towards web security.