Who Do You Trust? Part 2Fraudulent Google SSL Certificate Raises Doubts about Trust
Trust, as a characteristic of information security, keeps being tested. Without trust, people - whether in government or the private sector - won't be able to function properly in conducting business.
I wrote about trust 3Â½ weeks ago, when the hacking group Anonymous threatened - or not - to take down Facebook next month (see New Analysis: Who Do You Trust?). Truly, how do we know Anonymous really made that threat?
Another dent in that trust surfaced this past week with reports of a so-called man-in-the middle attack against Google users in Iran, where someone tried to get between the Iranian victims and encrypted Google services. The attacker used a fraudulent SSL certificate issued by a small Dutch company DigiNotor.
Probably the best explanation of the incident comes from F-Secure, the Finnish company that last week uncovered evidence related to last March's RSA SecurID breach (see RSA Breach Evidence Uncovered ). The blogger, F-Secure Chief Research Officer Mikko Hyppopen, asks what can one do with such a certificate? Impersonate Google, he answers, something that can be done by a government or a rogue Internet service provider. But why would anyone want to intercept Google? Hyppopen asks, then answers his own question:
"This is not really about the search engine at www.google.com. This is about the Gmail servers at mail.google.com and Google Docs at docs.google.com and maybe Google+ at plus.google.com. ... It's likely the government of Iran is using these techniques to monitor local dissidents."
In an earlier post, Hyppopen explains that certification authorities sell SSL certificates for the encryption of web traffic. That allows secure transactions such as online banking and shopping to occur online across https connections. But, Hyppopen writes:
"The current certification system dates from the 1990s and has not scaled well to the sheer size and complexity of the Internet today. In addition to the major certification companies such as Verisign, GoDaddy and Comodo, there are hundreds or even thousands of regional CAs that are basically resellers for the larger companies."
How does aging certificate technology endanger trust? Simply, if a government such as Iran's can control Internet routing, it could reroute Gmail traffic within its borders, and read users' e-mail messages. "Even most geeks wouldn't notice this was going on," Hyppopen says.
Other technologies such as cloud computing require us to rethink what we mean by trust. My colleague Howard Anderson broached that point in his interview with Feisal Nanji, executive director at the security consulting firm Techumen (see Mitigating Risks in the Cloud), who said:
"There are clearly three major cloud compliance issues if you really think about them. One is this notion of data ownership and control. That is, we may have to revise our models for establishing trust, consequences and chain of custody and how we provide access and authentication for our key data assets. So as we IT folks and legal folks think about signing a contract on cloud computing, let's make sure that we genuinely understand what the data ownership and control chain of custody is."
It's not just technology where trust is being challenged, but human behavior, too. Fraud schemes such as phishing have been around almost as long as the World Wide Web. As another colleague Jeffrey Roman writes (see Phishing Scams Capitalize on Irene):
"In the wake of natural disasters such as Hurricane Irene, fraudsters are quick to capitalize on the desperation of the displaced and the sympathies of those who want to help. Most of the schemes rely on phishing scams that feign to be charities set up to aid victims."
These examples of the erosion of trust threaten the way we not only conduct business, but live and breathe on the Internet.