Cryptography

The current online atmosphere, in which government-sponsored surveillance, data collection and sale by private companies and politically motivated attacks have become the norm, has spurred a renewed interest in many corners of the Internet in privacy and anonymity. The people behind The Crypto Project are working to provide some of the necessary tools for protecting communications and activities online.

The inherent problems with the certificate authority infrastructure have been known for a long time, but they’ve become even more obvious with the news of the recent compromise of DigiNotar, which resulted in the issuance of a slew of fraudulent SSL certificates. In this talk from the Black Hat USA conference earlier this month, Moxie Marlinspike discusses the issues with CAs and his suggestion to replace the whole infrastructure.

Call it “RSA on the Rhine.” Government officials in The Netherlands were left scrambling Tuesday to reassure nervous citizens that the country’s digital ID system, dubbed DigID, was safe after it was revealed that DigiNotar, the certificate authority that backs the DigID system, had been compromised by hackers and used to issue fraudulent certificates.

VASCO, the parent company of DigiNotar, says that the fraudulent certificate for Google’s domains that the certificate authority issued was just one of many such bogus certificates it handed out in recent months, and blamed the growing scandal on an attack on its CA infrastructure.

When a small group of activists announced the debut of The Crypto Project earlier this year, for many, ahem, mature, security and privacy advocates it brought to mind memories of the original cypherpunk movement that began in the 1990s and that group’s seminal efforts to encourage the use of strong cryptography and anonymity online, as well as its successes and failures. The two groups are not allied by anything other than ideology, but The Crypto Project’s leaders are aiming to follow in the footsteps of the cypherpunks, build on their accomplishments and make security and privacy tools freely available to the masses.

UPDATE: A certificate authority in the Netherlands issued a valid SSL wildcard certificate for Google to a third party in July, leading to concerns that attackers may have been using the certificate to route sensitive traffic through their own servers, capturing it and compromising user data in the process. The certificate was revoked by the CA, DigiNotar, after the problem came to light Monday and Mozilla and Microsoft both have removed DigiNotar from their lists of trusted root CAs.

Researchers at anti-malware company F-Secure say they have found the actual infected Excel file that was used in the attack on RSA earlier this year, eventually forcing the company to replace millions of its SecurID tokens. The Outlook email message containing the malicious file apparently was uploaded to Virustotal in March and the researchers dug it out this week.