Wednesday, September 7, 2011

Digi Notice all those updates?

You may or may not have noticed, but over the last 96 hours your computer has probably been going completely nuts with automatic updating. Windows Update, Microsoft Update, Firefox Update, Mac OS X Software update, Chrome Update, Thunderbird Update; pretty much every piece of software that you have that connects to the Internet as part of its daily business, has been frantically updating.

If you didn't notice, that's fine; it means that the automatic updates are working as intended, and that's good. Maybe you just clicked "OK" a few times, or tolerated an extra reboot or a sluggish startup in the morning when you got to the office. Cool if that's so, because unobtrusive background updating is one of the Great Good Joys of these times, and I'm pleased when it turns out as it should.

But if you did notice all that updating, and wondered what it was all about, here is (I think) the scoop: it all had to do with a tiny little company in Holland that nobody had ever heard of named Diginotar.

Diginotar was (yes, I am using the past tense intentionally) one of the global Certificate Authorities: a commercial organization charged with the right, and responsibility, of issuing signed SSL certificates. These certificates are the foundation of server identity verification on the Internet; they are what makes that little "lock" icon appear in your browser when you access an "https" URL; they are what provides the software on your computer with the vital assurances that, when it ventures out into the cruel and heartless jungle of the Public Internet, that your software is talking to the partners that you think it is.

Concretely, when you sit down at your computer and enter https://mail.google.com, a web page appears in your browser. But how do you know that you are actually talking to the real GMail server? That is what SSL certificates do: your browser does a bunch of cryptography and ascertains that the server that it got connected to, presented a bit of data, that can be independently verified as being data that only an authentic GMail server could provide.

Unless, that is, some tiny Certificate Authority in someplace that you've never heard of, gets hacked. By a powerful government agency. And is comprised for many months, possibly even years, allowing the Bad Guys to issue more than five hundred forged certificates for, essentially, every important web site on the planet.

At this point, my rambling isn't making things much clearer, though, so you need to get the facts. Read this, and then read this, and then read this.

I'd like to tell you there's a simple answer, but there isn't. SSL and its Certificate Authority trust chain are widely felt to be flawed beyond repair, but it isn't clear what could replace them. A number of people are working hard on a new basic security mechanism called DNSSEC, but it has both technical and political obstacles to overcome.

It may be a rocky road over the next few years. Hang on tight.

UPDATE: The technical team over at the Electronic Frontier Foundation have a new detailed discussion of the attack

No comments:

Post a Comment