Can the Internet Be Made Trustworthy?
Speaking at RSA Conference 2012, the CEO of Qualys points to SSL flaws, malware in third-party ads, and insecure browsers as signs that the Internet needs a fundamental overhaul of trustworthiness.
The year 2011 was full of data breaches -- and 2012 may well be even worse, according to Qualys CEO Philippe Courtot.
Courtot delivered a keynote address at the RSA security conference in San Francisco on Wednesday, outlining his views on the need for a more effective approach to security. He also officially launched a new movement to help bring more trust to the Internet.
"The biggest challenge is the trustworthiness of the Internet itself," Courtot said.
The issue of trust comes down to multiple factors that Qualys has helped to quantify. One issue highlighted by Courtot is the problem with SSL trust. SSL is widely used to secure transactions across the Internet. A new study that is currently underway from Qualys has already scanned 1.4 million websites and has found some surprising risks: According to Qualys, 54 percent of the sites scanned so far are still using SSL 2.0 -- a security protocol that Courtot noted was broken in 1995, a full 17 years ago.
Upgrading servers to take advantage of newer security protocols is relatively easy, according to Courtot. The more difficult problem to solve is the issue of SSL governance. Currently there are approximately 650 SSL Certificate Authorities that lack adequate governance and oversight. The issue of Certificate Authority security came to light last year with the breach of certificate authority DigiNotar, which resulted in invalid SSL certificates being issued and used.
There are currently multiple efforts in progress to address the issue of trust with SSL Certificate Authorities -- including security researcher Moxie Marlinspike's Convergence and the IETF DANE (DNS-based Authentication of Named Entities) proposal.
"The bottom line is we have to do something, it touches the very trust of the Internet," Courtot said.
Trust on the Internet is also being undermined by widespread malware. Courtot noted that Qualys is currently doing a study in which they have already scanned 500,000 of the top domains tracked by Alexa. That study so far has found 3,000 infected pages in the top half-million sites, with 52 percent of those infections coming from third-party ads.
Another study that Qualys has ongoing is looking at browser security, which also remains a major attack vector. An analysis of one million browser installations by Qualys has found that 70 percent were vulnerable, with 80 percent of the security issues related to insecure plug-ins. Again, the fix is a simple one for end-users. Qualys has an online browser check service that informs users of outdated plugins. Mozilla also has a similar effort.
While Courtot says he sees lots of cause for concern about online trust, he believes that the cloud can enable better security. With cloud computing platforms, attack vectors can be reduced by way of hardened perimeters, easier encryption, and more granular access controls.
To that end, Courtot used the RSA keynote stage to officially launch the Trustworthy Internet Movement (TIM). TIM is a non-profit vendor neutral initiative that aims to fund and foster collaborative innovation among corporations, cloud providers, and industry groups. The stated mission of TIM is to "resolve major lingering security issues on the Internet, such as SSL governance and the spread of botnets and malware, and to ensure that security is built into the very fabric of private and public clouds."
"Job number one is to ensure that we make the Internet trustworthy," Courtot said.
February 27, 2012
Most organizations lack adequate oversight of SSL certificates. Is your company one of them?