In a recent post, I described a new authentication mechanism for the web called Convergence.  While still based on Public Key Infrastructure (PKI) cryptographic certificates, it (mostly) side steps the need for so-called Certificate Authorities (CAs).  In that post I describe the problem that certificates solves, and how Convergence addresses a very substantial weakness present in the CA model.  In the CA model, the proliferation of CAs increases the likelihood of forged certificates, the presence of which break the CA model.

Just within the last few days, clear evidence has emerged that recently forged certificates (possibly a lot of them) have been used to carry out attacks – involving DigiNotar, a Dutch certificate authority that sells SSL certificates.  A wary surfer navigating to a google.com site noticed warnings in his Chrome browser indicating a MITM attack and he prudently raised the alarm.  Further investigation has started showing the extent of the forgery problem.

And this is a serious problem.  As has become a pattern in IT security, attacks once restricted to the domain of theory are rapidly making the transition to reality, in some cases with huge practical impact <RSA, Lockheed>.  The Certificate Authorities, however, are hiding behind… the APT.  “Nation State!  Nation State!”, is their cry.  The original Comodo attack as well as these new attacks are blamed on Iran (and by extension, the Iranian government), because that’s where the IP addresses associated with the attacks in some cases are shown to originate.

Let me make this point clear.  This is a smokescreen.  Subterfuge.  Hand-waving.  A big, fat, whopper of an excuse.

Just because the IP address is from Iran does not mean some significant government resources are behind these attacks.  Huge budgets and resources are not required.  At the Blackhat talk unveiling Convergence, Moxie Marlinspike made a very convincing case that the Iranian actor who hacked Comodo and made off with forged certificates was probably acting without any government support – and is a real bozo to boot.  Some of his bragging was comical and sophomoric – effectively akin to claiming to be able to tie his own digital shoelaces.  In addition, the day after stealing the certificates, the thief was found to have downloaded Marlinspike’s well known and publically available ‘sslsniff’ MITM tool.

The real kicker?  The referring URLs in Marlinspike’s logs show that his previous visit was to YouTube to get pointers on how to perform a MITM attack and what tools to use.

While it is possible that all this is meant to throw the scent off of the Iranian government’s trail, that truly taxes the imagination.  There is simply no evidence that the attack was sophisticated enough to require the resources of a nation state.

The real problem (and at this point nearly an unsolvable one) is the insecurity of the Certificate Authorities, and the motivation for ever increasing numbers of them.  It’s a solution that just doesn’t scale.

All this said, it’s really not Comodo’s, or any particular CA’s fault (well, at least notall their fault).  The problem is systemic.  There are roughly 650 Certificate Authorities in existence at present and that number is growing.  The proliferation of CA’s drastically increases the probability of certificate forgery and reduces the expense of pulling off such an attack.  The beauty of Convergence, on the other hand, is that increasing the number of Notaries increases the security of the infrastructure.  At the moment, bootstrapping this Notary infrastructure still relies on CA’s, but it drastically reduces the number necessary.  I also have my own ideas I am toying with to possibly reduce Convergence’s initial reliance on CAs.

This all leads to a larger point – the misdirection organizations feed to the media in response to hacks.  It is strongly in the interest of these organizations to cover their collective back ends.  The media’s current fascination with APT is a convenient rug under which organizations can sweep their woeful security practices.  Ending the APT excuses and taking basic but real steps to secure our infrastructure is the single most important thing we can do to improve the security landscape.