Bristol IT Company

Castlemead
Lower Castle Street
Bristol
BS1 3AG

tel: 0117 917 5040

Our e-news...

Click to stay informed!

 Get the newsletter here... 

 
Error
  • Error loading feed data

People we don't trust

  • Print

Every day, our Internet activities rely on digital proof that we're genuinely connected to people we trust. So what happens when we are digitally lied to?

 

Many things we use the Internet for assume a certain amount of trust. There's the obvious stuff, like access to bank accounts, and on-line shopping. Then there's renewing library books, Googlemail, Facebook and automatic software updates from the likes of Microsoft and Adobe.

Yes, it really does happen...

Generally speaking, Internet security works so well we aren't really aware of it, but, like everything else it's got human 'feet of clay'. Recently there was a stark reminder of this in an incident that affected all Web users, everywhere, to some extent: DigiNotar.

Never heard of DigiNotar? That's understandable. They were a small Dutch company, operating as a root certificate authority. They've now been wound up by the Dutch government, but for a few weeks in late summer 2011 they had the world's most important software companies scrambling to respond to what was genuinely a global hacking threat, with the potential to put all our secure transactions at risk.

How do we know who is trustworthy?

Root certificate authorities include companies like Verisign and Thawte, whose logos you will often see when you visit a commercial web site. Until September 2011, DigiNotar was one, too.

The "certificates" they issue aren't things to frame and put on the wall of the office. They're actually complex digital security keys, absolutely necessary for the full functionality of the Internet. We rely on them electronically, as evidence we can trust web sites to be what and who they claim. This is true, irrespective of the type of computer or Web browser that we use.

Within this system, "Root" certificates are special things. They are the ultimate source of trust, and used to create or derive secondary certificate authorities, often themselves independent commercial operations, who then issue/sell certificates to business web site owners.

It's these, derived, certificates that we use on a daily, if not hourly, basis. At a business level, the various players in the chain are supposed to check out the bona fides of people wanting to buy certificates. So (a) endorses (b), who endorses (c), and so on. Thus the certificate on, say, your supermarket's web site can be traced back to an original root certificate authority, and everyone in the chain is digitally proven trustworthy.

But what if you can't trust the ultimate authority? Everything is thrown into doubt. If a root authority is compromised in some way the implications are very serious indeed.

How the DigiNotar incident developed

This is the rough sequence of events:

  • DigiNotar's security was breached at an indeterminate time early in 2010. It may have been a physical break-in or a criminal employee, or hacking - we don't know.
  • It is known that DigiNotar issued a fraudulent root certificate for Google's domain in July 2010.
  • This was subsequently used for hacking.
  • The security breach was eventually discovered, but kept secret by DigiNotar management.

The practical effect was that, using the fake certificate, hackers could pretend to be Google. Users would be none-the-wiser.

If a user was mis-directed to a fake web site, their browser would receive a certificate, and would check it against its master list of trusted digital authorities. DigiNotar was legitimately on the list, so the certificate would appear genuine in every way, just like banknotes from stolen printing plates. Worse still, because a root certificate was involved, secondary certificates could be issued, and the problem would grow exponentially.

It's important to stress that anti-virus, anti-phishing and anti-spyware products wouldn't, couldn't in fact, detect this sort of fraud if done carefully enough. It circumvents all the security systems on a typical PC, because, as far as the user is concerned, the fraudulent certificate IS genuine.

OK, all that was a big enough issue in itself, but it wasn't the cause for the undignified scramble the IT industry has recently experienced. The reason for the panic was that it was reportedly over a year before DigiNotar realised it had been penetrated by criminals, but then, even after they discovered the problem, they still took weeks to release the information to the world. It's the direct equivalent of letting a criminal gang pitch camp in a bank vault and not calling the police.

What is the risk now?

In the main, very small indeed but there are some special cases: 

  • Obsolete software could still "trust" DigiNotar certificates.
  • Anyone still using a DigiNotar-derived certificate on a web server has no legitimate reason to be doing so and could be attempting to steal data such as credit card details or passwords.
  • Even if the organisation is genuine, with a legitimate but out-of-date DigiNotar certificate, it can, and probably will, be subject to 'man-in-the-middle' attacks, whereby a criminal entity intercepts legitimate traffic, stealing confidential data as it passes by.

This happened, more than once, in the early stages of the incident, before the compromised state of DigiNotar was public knowledge. Because of the global nature of the Internet the risk doesn't just apply to Dutch entities (the first attack was on Google customers!), but the risk now is confined to very old or unusual systems.

At the time of writing, I'm not aware of software installers that used fraudulent DigiNotar certificates, but that possibility exists, too. In that case you might download a patch for, say, a game for an old PC, it will be digitally 'signed' but will contain a virus. This risk is low, but theoretically possible.

What's happened recently (Autumn 2011):

The sordid details can be found on this page: http://en.wikipedia.org/wiki/Diginotar

DigiNotar's security/integrity breach was covered up for about a year! Once the scandal became public knowledge, the company was taken over by the Dutch government, who had a vested interest, having used DigiNotar certificates on their official sites. Eventually they were forced to wind the company up (early September 2011).

Do I need to do anything about this?

Probably not, but if your internet software is old, or you use an older Mac or PC to access the Internet, you should check. You should not be trusting any certificates issued by or derived from DigiNotar today.

Mozilla (who make Firefox), Microsoft, Google, Apple, and anyone else who can automatically update security certificates, have all now done so. That restored safety to those using recent software, but old browsers and operating systems may not automatically update themselves, leaving some element of risk.

For notes on fixing these issues yourself, check out FAQ 21. How to distrust security certificates. It steps through dealing with Diginotar certificates, but is generally useful if similar problems arise with another root authority. Contact us if you need help.

What conclusions can we draw?

DigiNotar's initial secrecy on the matter was scandalous and led to its ultimate downfall.

As with all scams, the 'strong daylight' of public awareness has largely defused the risk, but, as this is a fairly techy issue, most people using the internet for daily transactions have no idea there has ever been any risk at all.

The old rules of business still apply in the digital age: make sure you know exactly who you are dealing with, and be vigilant. Perhaps too many of us trust technology without ever knowing what we are trusting or who's behind it.

As the desk sergeant always used to say in Hill Street Blues, "Stay safe out there."

Submit to Delicious Submit to Digg Submit to Facebook Submit to Google Bookmarks Submit to Stumbleupon Submit to Technorati Submit to Twitter Submit to LinkedIn

Additional information