Internet security riddled with holes

The Comodo Group, an Internet security company, has been attacked in the last month by a talkative and professed patriotic Iranian hacker who infiltrated several of the company’s partners and used them to threaten the security of myriad big-name websites.

But the case is a problem for not only Comodo, which initially believed the attack was the work of the Iranian government. It has also cast a spotlight on the global system that supposedly secures communications and commerce on the Web.

The encryption used by many websites to prevent eavesdropping on their interactions with visitors is not very secure. This technology is in use when Web addresses start with “https” (in which “s” stands for secure) and a closed lock icon appears on Web browsers. These sites rely on third-party organisations, like Comodo, to provide “certificates” that guarantee sites’ authenticity to Web browsers.

But many security experts say the problems start with the proliferation of organisations permitted to issue certificates. Browser makers like Microsoft, Mozilla, Google and Apple have authorised a large and growing number of entities around the world — both private companies and government bodies — to create them. Many private “certificate authorities” have, in turn, worked with resellers and deputised other unknown companies to issue certificates.

The Electronic Frontier Foundation, an online civil liberties group, has mapped this nebulous system. As of December 2010, 676 organisations were signing certificates, it found.

Making matters worse, entities that issue certificates, though required to seek authorisation from site owners, can technically issue certificates for any website. This means that governments that control certificate authorities and hackers who break into their systems can issue certificates for any site at will.

Experts say that both the certificate system and the technology it employs have long been in need of an overhaul.

©2011 The New York
Times News Service