<<<
Chronological Index
>>> <<<
Thread Index
>>>
RE: [bc-gnso] Hackers exploit chink in Web's armor
- To: "Phil Corwin" <psc@xxxxxxxxxxx>
- Subject: RE: [bc-gnso] Hackers exploit chink in Web's armor
- From: <lynn@xxxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 24 Mar 2011 17:23:27 -0700
<html><body><span style="font-family:Verdana; color:#000000;
font-size:10pt;"><div>Thanks Phil!</div><div>This is helpful in discussions
about consumer uses of Whois data. One view is that Whois data, if
accurate and reliable, could provide validation of who "owns" a website.
Another view is that websites who use SSL encryption have been
"validated" and consumers can see the little lock icon on the URL space.
</div><div><br></div><div>This article gives a good explanation on why
consumers cannot rely on the SSL icon as proof that ownership of a domain name
and associated website have been verified. And it emphasizes the need for
consumer trust in the accuracy and ease of availability of Whois
data.</div><div>Lynn</div><div><br></div><div><br></div>
<blockquote id="replyBlockquote" webmail="1" style="border-left: 2px solid
blue; margin-left: 8px; padding-left: 8px; font-size:10pt; color:black;
font-family:verdana;">
<div id="wmQuoteWrapper">
-------- Original Message --------<br>
Subject: [bc-gnso] Hackers exploit chink in Web's armor<br>
From: Phil Corwin <<a
href="mailto:psc@xxxxxxxxxxx";>psc@xxxxxxxxxxx</a>><br>
Date: Thu, March 24, 2011 6:12 pm<br>
To: "<a href="mailto:bc-gnso@xxxxxxxxx";>bc-gnso@xxxxxxxxx</a>" <<a
href="mailto:bc-gnso@xxxxxxxxx";>bc-gnso@xxxxxxxxx</a>><br>
<br>
<style id="owaParaStyle">
#wmQuoteWrapper P { MARGIN-TOP: 0px; MARGIN-BOTTOM: 0px }
</style> <div style="direction: ltr;font-family: Tahoma;color:
#000000;font-size: 10pt;"> <div> <div>I'm not sure if there is a role
for ICANN in addressing this, but it certainly appears to be a major
Internet/e-commerce security issue ---</div> <div> </div> <div><a
target="_blank"
href="http://news.cnet.com/8301-31921_3-20046588-281.html?tag=nl.e703";>http://news.cnet.com/8301-31921_3-20046588-281.html?tag=nl.e703</a></div>
<div> </div> <div style="BORDER-BOTTOM: medium none; TEXT-ALIGN: left;
BORDER-LEFT: medium none; BACKGROUND-COLOR: transparent; COLOR: #000000;
OVERFLOW: hidden; BORDER-TOP: medium none; BORDER-RIGHT: medium none;
TEXT-DECORATION: none"> <div class="datestamp">March 24, 2011 4:00 AM PDT
</div> <h1>Hackers exploit chink in Web's armor</h1> <div
class="postByline"><span class="author">by <a target="_blank"
href="http://www.cnet.com/profile/declan00/";> <font
color="#0066a0">Declan </font></a><font color="#0066a0">McCullagh</font>
and <font color="#0066a0"><a target="_blank"
href="http://www.cnet.com/profile/elinormills/";><font
color="#0066a0">Elinor</font></a><a target="_blank"
href="http://www.cnet.com/profile/elinormills/";> Mills</a></font><a
target="_blank" href="http://www.cnet.com/profile/elinormills/";></a>
</span></div> <div class="postByline"><span class="linkIcon
fontSize"></span><span class="fbShare"> <fb:share-button class="fb_XFBML "
href="http://news.cnet.com/8301-31921_3-20046588-281.html";
type="button_count"><span><span
class="fb_button_text"></span></span></fb:share-button></span> </div> <div
class="postBody"> <div>A long-known but little-discussed vulnerability in the
modern Internet's design was highlighted yesterday by a <a target="_blank"
href="http://news.cnet.com/8301-31921_3-20046340-281.html";><font
color="#0066a0">report</font></a> that hackers traced to Iran spoofed the
encryption procedures used to secure connections to Google, Yahoo, Microsoft,
and other major Web sites. </div> <div>This design, pioneered by Netscape in
the early and mid-1990s, allows the creation of encrypted channels to Web
sites, an important security feature typically identified by a closed lock icon
in a browser. The system relies on third parties to issue so-called
certificates that prove that a Web site is legitimate when making an "https://";
connection. </div> <div>The problem, however, is that the list of certificate
issuers has ballooned over the years to approximately 650 organizations, which
may not always follow the strictest security procedures. And each one has a
copy of the Web's master keys. </div> <div style="WIDTH: 270px"
class="cnet-image-div image-MEDIUM float-right"><a target="_blank"
class="lightboxIt"
href="http://i.i.com.com/cnwk.1d/i/tim/2011/03/23/ComodoIran.png";><img
class="cnet-image" alt="Compromise related to fraudulent digital certificates
is traced to IP addresses in Iran, Comodo says."
src="http://i.i.com.com/cnwk.1d/i/tim/2011/03/23/ComodoIran_270x73.png";
width="270" height="73" entertime="1301004681208" showedtooltip="0"><font
color="#0066a0"> </font></a> <div class="image-caption">Compromise related to
fraudulent digital certificates is traced to IP addresses in Iran, Comodo says.
</div> <span class="image-credit">(Credit: <a target="_blank"
href="http://www.comodo.com/Comodo-Fraud-Incident-2011-03-23.html";> <font
color="#0066a0">Comodo</font></a>)</span> </div> <div>"There is this problem
that exists today where there are a very large number of certificate
authorities that are trusted by everyone and everything," says <a
target="_blank" href="https://www.eff.org/about/staff/peter-eckersley";><font
color="#0066a0">Peter Eckersley</font></a>, senior staff technologist at the <a
target="_blank" href="http://www.eff.org/";><font color="#0066a0">Electronic
Frontier Foundation</font></a> who has compiled a list of them. </div>
<div>This has resulted in a bizarre situation in which companies like Etisalat,
a wireless carrier in the United Arab Emirates that <a target="_blank"
href="http://news.bbc.co.uk/2/hi/technology/8161190.stm";><font
color="#0066a0">implanted spyware</font></a> on customers' BlackBerry devices,
possess the master keys that can be used to impersonate any Web site on the
Internet, even the U.S. Treasury, <a
href="http://BankofAmerica.com";>BankofAmerica.com</a>, and <a
href="http://Google.com";>Google.com</a>. So do more than 100 German
universities, the U.S. Department of Homeland Security, and random
organizations like the Gemini Observatory, which operates a pair of 8.1-meter
diameter telescopes in Hawaii and Chile. </div> <div>It's a situation that
nobody would have anticipated nearly two decades ago when the cryptographic
protection known as SSL (Secure Sockets Layer) began to be embedded into
Web browsers. At the time, the focus was on securing the connections, not on
securing the certificate authorities themselves--or limiting their numbers.
</div> <div>"It was the '90s," says security researcher <a target="_blank"
href="http://dankaminsky.com/";> <font color="#0066a0">Dan </font></a><font
color="#0066a0">Kaminsky</font>, who <a target="_blank"
href="http://news.cnet.com/8301-10789_3-9985618-57.html";> <font
color="#0066a0">discovered</font></a> a serious Domain Name System flaw in
2008. "We didn't realize how this system would grow." Today, there are now
about 1,500 master keys, or signing certificates, trusted by Internet Explorer
and <a target="_blank" href="http://www.cnet.com/firefox-3/";
section="luke_topic"><font color="#0066a0">Firefox</font></a>. </div> <div>The
vulnerability of today's authentication infrastructure came to light after
Comodo, a Jersey City, N.J.-based firm that issues SSL certificates,
alerted Web browser makers that an unnamed European partner had its systems
compromised. The attack originated from an Iranian Internet Protocol address,
according to Comodo Chief Executive Melih Abdulhayoglu, who told CNET
that the skill and sophistication suggested a government was behind the
intrusion. </div> <div>Spoofing those Web sites would allow the Iranian
government to use what's known as a man-in-the-middle attack to impersonate the
legitimate sites and grab passwords, read e-mail messages, and monitor any
other activities its citizens performed, even if Web browsers show that the
connections were securely protected with SSL encryption. </div>
<div>If Comodo is correct about the attack originating from Iran, it
wouldn't be the first government in the region to have taken similar steps.
Late last year, the Tunisian government <a target="_blank"
href="http://www.theatlantic.com/technology/archive/2011/01/the-inside-story-of-how-facebook-responded-to-tunisian-hacks/70044/";>
<font color="#0066a0">undertook</font></a> an ambitious scheme to steal an
entire country's worth of Gmail, Yahoo, and Facebook passwords. It used
malicious JavaScript code to siphon off unencrypted log-in credentials, which
allowed government agents to infiltrate or delete protest-related discussions.
</div> <div>Comodo's revelation throws into sharp relief the list of flaws
inherent in the current system. There is no automated process to revoke
fraudulent certificates. There is no public list of certificates that companies
like Comodo have issued, or even which of its resellers or partners have
been given a duplicate set of the master keys. There are no mechanisms to
prevent fraudulent certificates for Yahoo Mail or Gmail from being issued by
compromised companies, or repressive regimes bent on surveillance; Tunisia even
has its own <a target="_blank"
href="http://www.certification.tn/index.php?id=4";><font
color="#0066a0">certificate-issuing government agency</font></a>. </div>
<div>"These organizations act as cornerstones of security and trust on the
Internet, but it seems like they're not doing basic due diligence that other
organizations are expect to do, like the banks," says Mike Zusman, managing
consultant at Web app security firm <font color="#0066a0"><a
target="_blank" href="http://intrepidusgroup.com/";><font
color="#0066a0">Intrepidus</font></a><a target="_blank"
href="http://intrepidusgroup.com/";> Group</a></font><a target="_blank"
href="http://intrepidusgroup.com/";></a>. "I'm not sure what we need to do but I
think it's time we start addressing the issue of trust and issues of
certificate authorities potentially not living up to standards that they should
be." </div> <div>Over the last few years, a handful of papers and
demonstrations at hacker conferences have focused more attention on the topic.
But the Comodo intrusion, which appears to be the first public evidence of
an actual attack on the way the Web handles authentication, could be a catalyst
for rethinking the way to handle security. </div> <div>Two years ago, for
instance, Zusman <a target="_blank"
href="http://intrepidusgroup.com/insight/2009/01/nobody-is-perfect/";> <font
color="#0066a0">was able to get a certificate</font></a> from Thawte, a
VeriSign subsidiary, for "<a href="http://login.live.com";>login.live.com</a>"
just based on an e-mail address he created on the Hotmail domain. Even though
it was revoked, it still worked in a Web browser during a demonstration at the
Black Hat conference in Las Vegas. Comodo, too, has previously been shown to
have <a target="_blank" href="https://blog.startcom.org/?p=145";><font
color="#0066a0">lax security standards</font></a> among its resellers as far
back as December 2008. </div> <div>"Remember, the only reason Iran has to go to
the lengths they've gone to to get certificates is because they don't have
a (certificate issuer) of their own... most countries can just generate their
own," says Moxie Marlinspike, chief technology officer of mobile app developer
<a target="_blank" href="http://www.whispersys.com/";><font
color="#0066a0">Whisper Systems</font></a>, who has discovered <a
target="_blank"
href="http://news.cnet.com/8301-27080_3-10299459-245.html";><font
color="#0066a0">serious problems</font></a> with Web authentication before. One
problem, he says, is that companies that issue certificates have a strong
economic incentive to make it as easy as possible to obtain them. </div>
<div>Another worrisome aspect is that browser makers don't always have a good
way to revoke fraudulent certificates. A <a target="_blank"
href="https://bugzilla.mozilla.org/show_bug.cgi?id=642395";><font
color="#0066a0">discussion thread</font></a> at <a
href="http://Mozilla.org";>Mozilla.org</a>, makers of the Firefox browser, shows
that after being alerted by Comodo, they had no process to revoke the faux
certificates. Mozilla developers ended up having to write new code and test a
patch, which took a few days and, even after its release, meant that only users
who downloaded new versions of Firefox benefit. </div> <div>Google's Chrome, on
the other hand, uses a <a target="_blank"
href="http://googlechromereleases.blogspot.com/2011/03/stable-and-beta-channel-updates_17.html";>
<font color="#0066a0">transparent update system</font></a> for desktop
versions but not necessarily mobile ones. Microsoft <a target="_blank"
href="http://www.microsoft.com/technet/security/advisory/2524375.mspx";><font
color="#0066a0">said yesterday</font></a> that "an update is available for all
supported versions of Windows to help address this issue." </div> <div><a
target="_blank" href="http://www.cl.cam.ac.uk/~rja14/";><font
color="#0066a0">Ross Anderson</font></a>, professor of security engineering at
the University of Cambridge's computer laboratory, offered an anecdote in this
paper (<a target="_blank" href="http://spw.stca.herts.ac.uk/2.pdf";><font
color="#0066a0">PDF</font></a>): "I asked a panelist from the Mozilla
Foundation why, when I updated Firefox the previous day, it had put back a
certificate I'd previously deleted, from an organisation associated with
the Turkish military and intelligence services. The Firefox spokesman said that
I couldn't remove certificates--I had to leave them in but edit them to remove
their capabilities - while an outraged Turkish delegate claimed that the body
in question was merely a 'research organisation.'" </div> <div>Jacob Appelbaum,
a Tor Project developer who is a subject of a <a target="_blank"
href="http://news.cnet.com/8301-31921_3-20042277-281.html";> <font
color="#0066a0">legal spat</font></a> with the Justice Department over his <a
target="_blank" href="http://news.cnet.com/8301-1009_3-20010866-83.html";> <font
color="#0066a0">work with </font></a><font color="#0066a0">WikiLeaks</font>,
says Mozilla should have warned of the vulnerability immediately and shipped
Firefox 4 with a way to detect and revoke bad certificates turned on by
default. (The technique is called <a target="_blank"
href="http://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol";><font
color="#0066a0">Online Certificate Status Protocol</font></a>, or OSCP). </div>
<div>"Mozilla's not taking their responsibility to the Internet seriously,"
said Appelbaum, who wrote an <a target="_blank"
href="https://blog.torproject.org/blog/detecting-certificate-authority-compromises-and-web-browser-collusion";>
<font color="#0066a0">independent analysis</font></a> of the situation. "A Web
browser isn't a toy. It's being used as a tool to overthrow governments...At
the end of the day, they did not put their users first." </div> <div>Some
long-term technical fixes have been proposed, with names like <a
target="_blank" href="http://www.ietf.org/id/draft-ietf-dane-protocol-06.txt";>
<font color="#0066a0">DANE</font></a>, <font color="#0066a0"><a target="_blank"
href="http://tools.ietf.org/html/draft-hoffman-server-has-tls-04";><font
color="#0066a0">HASTLS</font></a></font>, <font color="#0066a0"><a
target="_blank"
href="http://tools.ietf.org/html/draft-hallambaker-donotissue-03";><font
color="#0066a0">CAA</font></a></font> (Comodo's Philip Hallam-Baker is a
co-author), and <font color="#0066a0"> <a target="_blank"
href="http://web.monkeysphere.info/";><font
color="#0066a0">Monkeysphere</font></a></font>. The technology known as <a
target="_blank"
href="http://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions";><font
color="#0066a0">Domain Name System Security Extensions</font></a>, or DNSSEC,
can help. The Electronic Frontier Foundation's Eckersley, who runs the
groups <font color="#0066a0"><a target="_blank"
href="https://www.eff.org/observatory";><font color="#0066a0">SSL</font></a><a
target="_blank" href="https://www.eff.org/observatory";>
Observatory</a></font><a target="_blank"
href="https://www.eff.org/observatory";></a> that tracks SSL certificates,
hints that he'll soon offer another proposal about how to reinforce the Web's
cryptographic architecture. </div> <div>"We do in fact need a way not to trust
everyone," Eckersley says. "We have 1,500 master certificates for the Web
running around. That's 1,500 places that could be hacked and all of a sudden
you have to scramble to dream up a solution." </div> </div> <br> <br> Read
more: <a target="_blank" style="COLOR: #003399"
href="http://news.cnet.com/8301-31921_3-20046588-281.html#ixzz1HYctsBUi";>
http://news.cnet.com/8301-31921_3-20046588-281.html#ixzz1HYctsBUi</a></div>
<div> </div> <div style="FONT-FAMILY: Tahoma; FONT-SIZE: 13px">
<div><strong><font color="#000080">Philip S. Corwin, Founding
Principal</font></strong></div> <div><strong><font
color="#000080"><strong><font
color="#000080">Virtualaw</font></strong> LLC</font></strong></div>
<div><strong><font color="#000080">1155 F Street, NW</font></strong></div>
<div><strong><font color="#000080">Suite 1050</font></strong></div>
<div><strong><font color="#000080">Washington, DC 20004</font></strong></div>
<div><strong><font color="#000080">202-559-8597/Direct</font></strong></div>
<div><strong><font color="#000080">202-559-8750/Fax</font></strong></div>
<div><strong><font color="#000080">202-255-6172/cell</font></strong></div>
<div><strong><font color="#000080"></font></strong> </div>
<div><em><strong><font color="#000080">"Luck is the residue of design" --
Branch Rickey</font></strong></em></div> <div><font color="#000080"></font>
</div> </div> </div> </div>
</div>
</blockquote></span></body></html>
<<<
Chronological Index
>>> <<<
Thread Index
>>>
|
![http://i.i.com.com/cnwk.1d/i/tim/2011/03/23/ComodoIran.png"](http://i.i.com.com/cnwk.1d/i/tim/2011/03/23/ComodoIran.png"){kind=link}
![http://i.i.com.com/cnwk.1d/i/tim/2011/03/23/ComodoIran_270x73.png"](http://i.i.com.com/cnwk.1d/i/tim/2011/03/23/ComodoIran_270x73.png"){kind=link}