X

Thank you for sharing!

Your article was successfully shared with the contacts you provided.
In the world of Internet security, Secure Sockets Layer (SSL) and its successor Transport Layer Security (TLS) are the workhorse protocols for protecting confidential communications over the web. As of 2010, SSL had stood the test of time (15 years) and secured almost all of the world’s e-commerce. In 2011, however, SSL was hacked to the bone, on multiple occasions, calling into serious question whether companies can still rely on SSL to communicate securely across the web. This impacts the enterprise in two different ways: first, in its capacity as an end-user (or group of end-users); and second, in its capacity as owner and operator of a website which offers an SSL portal to customers. The 2011 hacks focused on the part of SSL that “authenticates” the identity of the endpoint of encrypted communication—i.e., the website/server. Authentication is carried out, in advance, by third parties known as Certificate Authorities (CA). The role of the CA is to issue a cryptographically “signed” SSL certificate that vouches for the identity of the organization that controls a particular web domain. Boiled down to its essence in non-tech speak, the role of the CA is to issue ID badges to parties that wish to engage in secure communications. Thus, the value of SSL rises and falls with the reliability, competence, and trustworthiness of the CA. You can encrypt a communication all you want, but if a bad actor has an unauthorized certificate stating that it operates Google, XYZ Bank, or any other domain, then the bad actor can mount either a “man-in-the-middle” attack, which wiretaps the encrypted communications; or a “phishing” attack, which convinces your browser that it is the real Google or XYZ Bank. In 2010, there were doubts that CA practices presented a real threat. The events of 2011, however, erased them. Now, the question is whether the CA model even works at all. Just this past week, news broke that DigiNotar, a global CA, was hacked from an Internet routing address pointing to Iran (although the hacker’s real location may in fact have been elsewhere). What does this attack mean? It means several things, and none of them are good. First, a bad actor gained access and control of DigiNotar’s computer systems and was able to issue cryptographically signed, totally fraudulent certificates that could cause end-users’ browsers all across the globe to falsely authenticate ownership and control of any site on the Internet. DigiNotar, according to observers, issued more than 500 unauthorized certificates. Second, DigiNotar—one of the universally relied-upon CAs—was embedded in all of the major browsers by default. This means that when a fraudulent DigiNotar SSL certificate was presented to a browser, the browser would use its own embedded DigiNotar certificate (or “root” certificate) to automatically authenticate either the bogus website or man-in-the-middle offering from the bad certificate. This is true even when the legitimate website did NOT use DigiNotar for its SSL certificates. Many, perhaps even most, large enterprises trusted DigiNotar by default. During the time between the hack and the bad certificates being subsequently revoked—which took more than a month—the overwhelming majority of enterprises and their customers (or business partners, law firms, or consultants) were vulnerable to eavesdropping or phishing attacks. In addition to DigiNotar subsequently revoking the bad certificates, various browsers have taken the additional step of deleting DigiNotar as a root certificate from their embedded default lists—meaning those browsers will no longer trust DigiNotar. To make matters worse, the DigiNotar fraudulent certificates included some that were so-called “extended validation” certificates, which are supposed to be more trustworthy and more rigorously verified. Extended validation certificates are often used for an enterprise’s most sensitive interactions with its customers. Thankfully, only one CA was hacked. Right? Wrong. Rewind several months and, in March of 2011, another widely relied-upon CA issued a number of unauthorized digital certificates for various high-value Internet domains. This was the result of at least one of its affiliates known as a registration authority (RA) being hacked. In the CA world, RAs undertake, on behalf of the CA, to verify the identity of certificate applicants. If an RA says, “John is, in fact, John,” then a CA will generally issue John a certificate. A compromised RA is therefore a very big deal. Still another CA was the subject of an attack in 2011: StartSSL. Although it does not appear that StartSSL issued fraudulent certificates, the CA nevertheless temporarily suspended aspects of its operations. It will take considerable time for the CA world to adjust its business-practice guidelines to decrease the chance of future exploits. But, that does not mean that companies cannot take concrete steps that will dramatically reduce their risk of being wiretapped through a man-in-the-middle or phishing attack.

This content has been archived. It is available exclusively through our partner LexisNexis®.

To view this content, please continue to Lexis Advance®.

Not a Lexis Advance® Subscriber? Subscribe Now

Why am I seeing this?

LexisNexis® is now the exclusive third party online distributor of the broad collection of current and archived versions of ALM's legal news publications. LexisNexis® customers will be able to access and use ALM's content by subscribing to the LexisNexis® services via Lexis Advance®. This includes content from the National Law Journal®, The American Lawyer®, Law Technology News®, The New York Law Journal® and Corporate Counsel®, as well as ALM's other newspapers, directories, legal treatises, published and unpublished court opinions, and other sources of legal information.

ALM's content plays a significant role in your work and research, and now through this alliance LexisNexis® will bring you access to an even more comprehensive collection of legal content.

For questions call 1-877-256-2472 or contact us at customercare@alm.com

 
 

ALM Legal Publication Newsletters

Sign Up Today and Never Miss Another Story.

As part of your digital membership, you can sign up for an unlimited number of a wide range of complimentary newsletters. Visit your My Account page to make your selections. Get the timely legal news and critical analysis you cannot afford to miss. Tailored just for you. In your inbox. Every day.

Copyright © 2020 ALM Media Properties, LLC. All Rights Reserved.