SSL Digital Certificate Security Issues Put CAs on Notice

It’s been a rough couple of years for the security of fundamental Internet infrastructure technologies such the domain name system (DNS), SSL and digital certificates. Hackers are taking aim at these core technologies at the heart of ecommerce and online communication, and are more often than not, hitting their mark with devastating accuracy.

SSLIt’s been a rough couple of years for the security of fundamental Internet infrastructure technologies such the domain name system (DNS), SSL and digital certificates. Hackers are taking aim at these core technologies at the heart of ecommerce and online communication, and are more often than not, hitting their mark with devastating accuracy.

Not only are high-profile attacks taking down technologies, but they’re putting a dent in the underlying trust people have in doing business online and in extreme cases, putting companies out of business.

“We’re always under attack, and it’s been that way since 1995,” said Ryan Hurst, CTO of certificate authority GlobalSign. “The attacks have always been there, and their frequency has stepped up. But also has our ability to defend them.”

The security of digital certificates and SSL, in particular, has been under a harsh spotlight for more than a year. Several high-profile hacks of leading CAs such as Comodo, GlobalSign and DigiNotar reinforced the need to protect these assurance tokens that validate the authenticity of online transactions and messaging.

DigiNotar was the poster child for CA insecurity and paid the ultimate price when it went out of business after it was breached in September 2011 and all major browsers refused to support SSL certificates signed by the Dutch CA. Comodo, meanwhile, took a series of four body blows last year in the form of four separate attacks. Fraudulent SSL Comodo certificates were issued, and ultimately revoked, again calling into question the trustworthiness of online interactions. Attackers using phony certs can redirect users to malicious websites where drive-by downloads of malware can lead to loss of sensitive personal or corporate information.

Some security experts are offering alternatives to certificate authorities, such as Moxie Marlinspike’s Convergence protocol. Convergence relies on notary servers to validate whether an SSL certificate is legitimate, removing this responsibility from the current paradigm of certificate authorities. Another similar initiative called Perspectives, built at Carnegie Mellon University, also relies on notaries to rubber-stamp certificates.  

Regardless, there has been relatively little traction because existing certificates and trust mechanisms are so engrained in the current Internet infrastructure. Yet some widespread movement is in the works to at least bring certificates up to a minimum security standard.

Microsoft announced in June its intention to no longer support certificate key lengths shorter than 1024; that requirement happens Oct. 9 when Microsoft releases an automated tool that will check for RSA key lengths and revoke any not meeting the 1024 minimum. Microsoft recommends 2048 bit key lengths; it called the move another “defense in depth measure” to batten down Windows systems and ultimately help the safety of private keys and help customers avoid phishing or man-in-the-middle attacks.

GlobalSign, one of the CAs breached a year ago (a web server was breached, but certificates were not compromised, the company said), announced today a new security measure of its own to cut down on phishing attacks. It partnered with Netcraft, an English Web hosting market share and security services provider, to deliver an early warning system to GlobalSign SSL certificate users, warning them if a cert is using in concert with a phishing attack and whether a website could be compromised and part of a scam.

“If a phishing attack is delivered over SSL, it adds credibility to the attack,” GlobalSign CEO Steve Waite told Threatpost. “We don’t want our certs adding credibility to those types of attacks.”

Netcraft maintains a large database of phishing certificates and URLs, Waite said. The service cross-references new phishing URLs with the database of SSL certs, and alerts GlobalSign who can then inform customers they could be hosting a compromised phishing site and would need to remediate.

GlobalSign, like most of the other CAs, stepped up its security game since the rash of attacks last year. Audits of the security infrastructure guarding their certificates have ramped up, as has awareness of the threat landscape.

“Any time we receive a credible threat or intelligence about something that may be going on, we investigate. Most of the CAs work together on things like this,” GlobalSign’s Hurst said. “If we receive a hit on our security instruments and collect data, we share with that other CAs. Sometimes attacks are coordinated against all of us.”

And none of them wants to be the next DigiNotar.

“Of course when we see any business have their business disappear overnight, it makes you stop and take notice and make sure you’re doing everything to honor your responsibilities to your customers, partners and your business,” Hurst said. “Things happen; it’s how you deal with them that’s important.”

Suggested articles

Threatpost News Wrap, September 29, 2017

The macOS Keychain attack, Signal’s new private contact discovery service, the Deloitte hack, and a handful of mobile stock trading app vulnerabilities are discussed.

Discussion

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.