Trust done wrong

IT security is getting out of the basement and starting to infiltrate everyday life. If the recent Wikileaks, Anonymous, Stuxnet and Sony PSN debacles weren't enough, now it's finally in the open that the trust everyone takes for granted when using encrypted connections is mostly based on wishful thinking and a bit of hand-waving.

DigiNotar, by thinking that running a certificate authority we all trust is best run by a total lack of security, has likely put Iranians at severe risk. What it has exposed is one of the internet's dirty little secrets: SSL encryption, what we all depend on for banking, email and e-commerce, is mostly worthless without a viable model of trust. And our model of trust is severely lacking at the moment.

DigiNotar was a terrible offender and that they promptly got revoked will be the least of their worries, but it wasn't the first offender. Comodo and StartCom both had break-ins recently and it is likely that more certificate authorities are as terrible as DigiNotar. The difference is that DigiNotar didn't act directly: it took 2 months before an Iranian user noticed something was wrong with his Gmail-certificate. Bad security is one thing, but not doing anything after such a break-in is malice.

Your browser currently trusts 600+ of these certificate authorities, from which DigiNotar has hopefully been removed. None of these companies will mean anything to your average user except maybe VeriSign, and your typical user will trust a site with a VeriSign-logo without even looking at a certificate. Yet all of these CAs are trusted to provide certificates with which our connections are encrypted: they are the only line of defense when it comes to man-in-the-middle attacks. And the likes of TDC, XRamp and TurkTrust are trusted to not make the same mistakes as DigiNotar...

Rather than repeat his words, Moxie Marlinspike's talk on SSL and authenticity says it all.

What can your company do? Take security seriously. DigiNotar wouldn't be in this situation if they had given a thought about security, but the situation wouldn't be as desperate if they had acted right away. I have contacted a few companies regarding security lapses on their side (one unknowingly disclosed 200k accounts a few months ago, no I'm not naming them) and thankfully they have all quickly taken appropriate measures. This is all we ask.

Is there a silver lining? Naturally. The whole charade with certificate authorities has given us Ubuntu...