DigiNotar: When Trust Goes, e-Everything Goes
The failure of Dutch certificate authority DigiNotar should have Android, iOS and IT security folks very concerned.
Call the DigiNotar hack a wake-up call for smartphone users and the IT security folks everywhere that have to support those platforms. At first glance, this summer's breach of a below-the-radar Dutch company seems only of interest to propeller heads but the reality is that it highlights the sharp vulnerability of smartphone users.
That’s because now-defunct DigiNotar issued certificates that assure to a browser that a website is legit and not some hacker's version of website -- like your bank's -- put up to steal your personal information. In this breach, which was apparently orchestrated out of Iran, some 531 bogus certificates got issued for a range of websites including Google, the CIA, and Israel’s Mossad spy agency. With a bad certificate in place, a website visitor would be assured that, yes, this is the official website of the Mossad or of Gmail, when in fact it is nothing of the kind.
This assault on the public key infrastructure (PKI) and the corresponding security certificates just may overturn the mobile Web in particular.
The browsing experience on a tiny smartphone screen is different from full-size monitor or laptop screen. We very well might notice that something is hinky were we to visit a counterfeit site on a computer with a full size screen. Tiny smartphone screens; not so much.
“With smartphones the ergonomics increase the vulnerabilities,” said Scott Morrison, CTO at Layer 7 Technologies, a security company.
The tendency on small screen devices just is to click through, with no skepticism and little double checking. That is why Eric Hemmendinger, senior product manager for security services at Tata Communications, said “DigiNotar’s breach has had major implications for the PKI that secures the iPhone, iTunes and Android. Because DigiNotar’s certificates were accepted and trusted by the browsers that are part of iPhones and Android, any application, code or data that was accepted into these environments from DigiNotar’s certificate is now suspect. Similarly, any website that was secured using a DigiNotar certificate is now suspect.
“In the PKI world, once the security provisions around a certificate authority are suspect, it is assumed that everything is bad. Trust is everything. Once trust is gone, the business is gone.”
The worse news is that the DigiNotar hack is not a first. “Certificates have been compromised before,” said Amit Sinhai, CTO at Zscaler, a cloud security provider. Case in point: In April, certificate issuer Comodo based in Jersey City, NJ acknowledged that two registration authority accounts had been compromised.
Search the Web archives and there are many more for instances of a few bad certificates here and there. But the problem may be that this is not as random or ignorable as it might seem. In fact, Morrison said at least some of the companies that are trusted certificate issuers do not warrant that trust or status.
“These are companies that once were important," said Morrison. "Now, they are automatically trusted third parties. The big issue now is that some of these once trusted companies are less trustworthy. Some have fallen into the wrong hands. Their root keys have been compromised.”
Bluntly put, Morrison is saying that some of the “trusted” authorities should be anything but. And that means decisions on trust abruptly get punted back to the individual user; people who really have no way to know for sure when a website is compromised or not.
It is fairly easy to edit root certificate authorities in a Web browser on a computer (in Internet Explorer, for instance, click Tool, Internet Options, Content, Certificates and edit from there), but few users ever revisit their certificates. For those who want to tweak their permissions, this can be done with a few key strokes. In Firefox, it goes like this: Proceed to the Tools, Options, Advanced, then click the Encryption tab. Click the View Certificates button, then the Authorities tab. You can then add or delete authorities. In Chrome, go to Settings, Under the Hood, click "manage certificates." You can edit these fairly easily.
Many users in fact are doing exactly that editing post DigiNotar deleting all certificates signed by the Dutch company.
It’s a different uglier case on a smartphone. “It is almost impossible to edit the certificates on a phone,” said Morrison and yet the phone browsers (Safari on iPhone, Chrome on Android) are utterly dependent on their certificate lists for delivering a trustworthy browsing experience.
Ironically, although Apple blocked DigiNotar certificates in its latest Lion and Snow Leopard releases for computers, it had not updated the mobile operating system to do so and Apple message boards had many cranky posts from frustrated iPhone and iPad users seeking help in blacklisting DigiNotar.
Their frustration speaks to the issues confronting all mobile web surfers.
“This whole thing is falling apart; unraveling,” said Morrison. The system, he said, had been fraying over “a number of years” and now the DigiNotar failure highlights how desperately “we need a different way of establishing trust in mobile."
That’s the rub: trust becomes ever more essential on the mobile Web but it is getting harder to find. “We need to rethink how we get trust in the first place,” said Morrison.
A busy freelance writer for more than 30 years, Rob McGarvey has written over 1500 articles for many of the nation's leading publications -- from Reader's Digest to Playboy and from the NY Times to Harvard Business Review. McGarvey covers CEOs, business, high tech, human resources, real estate, and the energy sector. A particular specialty is advertorial sections for many top outlets including the New York Times, Crain's New York, and Fortune Magazine.