I read this BBC News story about mistakenly issued security certificates recently, which allowed the people with those certificates to impersonate any Google websites and intercept traffic to them. It struck me as quite significant that this particular story made it to ‘mainstream’ tech reporting.
There is a more detailed, and perhaps more accurate, commentary on this attack on Freedom to Tinker. It perhaps may not have been ‘cyber criminals’ as the BBC reported it when I first viewed the story!
Anyway, given the attention to this issue, I thought it a good opportunity to review this kind of attack against SSL/TLS — the security system upon which we all now depend. More importantly, I wanted to show Certificate Patrol, an add-on for Firefox that would allow you to notice a suspicious change to an certificate and thwart this kind of attack.
The weaknesses inherent in having too many organisations that are able to issue security certificates for any domain are becoming more clear. While this kind of attack is extremely rare, at the moment, ‘at the moment’ is a very poor security response! Hopefully, more awareness of these limitations of the internet’s authentication infrastructure can help put pressure on browser vendors, website owners and CAs to make everyone more secure.