Koz and Effect

Trusting SSL

New School has a recap and a commentary on the disclosure of an internet appliance that can be used to eavesdrop on HTTPS communications. That is, web applications such as banking, e-mail, commerce, and the like.

Before anyone panics, it’s not a hack, exploit, or otherwise. Actually the box itself doesn’t do much at all. The device relies on a certificate authority to forge a certificate of a legitimate website (The CA having assigned the certificate in the first place) so that the box will appear, for all intents and purposes, to be the actual site. Man in the middle.

What New School does a good job of pointing out is that this is not, as stated above, an exploit or hack, but a breakdown in trust. The company that markets the device does so to law enforcement and intelligence agencies, and I have no reason to suspect that they have not been able to convince a CA to forge a certificate for them on request. The fault lies soley with the CA that created the forged certificate that allowed the appliance to appear as the legitimate site. (s0mething digital certificates were designed to protect) It is, essentially, the ultimate irony. The groups asked to be the most trust worthy could easily destroy that trust, and undermine the system in the process.

There’s no evidence that any of this is taking place on a wide scale, or by which CAs, if any more than one or two at all. But as the author points out, browsers come preloaded with the certificates of hundreds of CAs, which can then be used to validated most certificates on the net. I can only guess at a future where users would be recommended to be more selective in the CAs they use, based on a history of those shown to abuse that trust or not.