Concerned organizations say basic flaws in Web-security design may be causing many websites that display padlock icons—designed to show that they’re secure—to be unsafe.For example, some of these sites rely on digital certificates that third-party certificate authorities (CAs) may improperly issue or use, said Seth Schoen, senior staff technologist with the Electronic Frontier Foundation (EFF), a digital-rights advocacy organization. These types of problems have already occurred, he noted.
At issue are websites that display padlock icons to indicate their communications are protected via HTTP Secure technology. HTTPS relies on Secure Sockets Layer or the more recent Transport Layer Security encryption, which keeps transmitted data safe from interception. Many of these sites rely on a CA to issue an SSL or TLS certificate that is supposed to guarantee to website users that the site is safe to both visit and use for transactions.
Based on checks the CA is supposed to make, the certificate is designed to verify that the connec-tion is securely encrypted and that the party on the certificate owns the displayed domain name and is a legitimate and legal entity. The certificate and browser also verify that visitors are actually connected to the domain they see in the browser address bar.Schoen said there are now so many CAs, website visitors don’t know which authorities are trust-worthy and genuine, and which could misuse their certificates to, for example, eavesdrop on users.
A third party could misuse a certificate to launch a man-in-the-middle attack, in which a hacker independently connects with two parties to a communication and relays messages between them, thereby controlling the transaction.Thus, Schoen said, the EFF is particularly concerned about authenticating whether a visitor’s connection to a site is direct or passing through another party. Root CAs—such as DigiCert, Entrust, Equifax, GlobalSign, Go Daddy, and VeriSign—are consid-ered directly trustworthy because they have passed independent audits by well-known professional-services firms such as Ernst & Young and KPMG International.
Root CAs can appoint intermediate CAs to issue certificates under their authority. However, the latter can also issue certificates on their own. Problems can occur when intermediate CAs aren’t as cautious as root CAs, such as by not conducting rigorous background checks before issuing certificates.This could be a particular concern because a recent survey by the SSL Observatory project (www.eff.org/observatory) indicates there are more intermediate CAs than anyone in the security community predicted. The EFF and security vendor iSEC Partners recently formed the SSL Observatory project to investigate the certificates that secure HTTPS sites, how they’re used, and how to cope with problems they can create.
Melih Abdulhayoglu, CEO for security vendor Comodo Group, said the most important problem is domain-validation certificates. A CA automatically issues a DV certificate for a given website only by verifying the domain and address in a WHOIS database. Sites that have received DV certificates still display the padlock icon.
According to Abdulhayoglu, although DV certificates are inexpensive to produce, they’re a bad idea because the issuing CA doesn’t authenticate or validate the business behind a website. In addition, the certificates aren’t subject to independent auditing.
Abdulhayoglu said using a public-key infrastructure for website security is preferable because the CA’s role in PKI is to be an independent third party that validates the business behind a website. PKI lets users of an unsecured public network such as the Internet safely exchange data by working with paired public and private cryptographic keys issued and shared via a CA.The
Certification Authority/Browser Forum (www.cabforum.org), a consortium of CAs and browser providers, is addressing website safety issues by developing industrywide authentication standards.
News Briefs written by Linda Dailey
Paulson, a freelance technology
writer based in Portland, Oregon.
Contact her at ldpaulson@yahoo.
com.
How Safe Are
Secure Websites?
Article Source:
0 komentar: — Skip to Comment.
Posting Komentar — or Back to Content