The Worst Security Hack Ever: Digital world also requires trust

Breach Extends Beyond the Victimized Company

September 22, 2011 - Eric Chabrow

The breach earlier this month of certificate authority DigiNotar could prove to be the worst security event ever to happen on the Internet because it threatens, at its core, a fundamental principle of Internet transactions - economic and social - trust.

Hackers broke into DigiNotar computers and stole the private key used by the Dutch company to assure the trustworthiness of the digital certificates it issued to website operators to guarantee users that the site visited is the one they intended to access. Employing the stolen private key, the hackers issued counterfeit certificates aimed at fooling visitors into believing some of the websitse they're accessing are the ones they intended to visit, and not the sham sites they've arrived at.

Functioning in our society, whether in the real or digital world, requires trust.

Believed to be backers of the Iranian government, the hackers used the counterfeit certificates on Gmail, allowing them to direct users to a false site, in which they could spy on the messages dissidents sent, identifying them and those who they sent their e-mails. According to preliminary audit conducted by the IT security firm Fox-IT, more than 500 counterfeit DigiNotar certificates were issued to a wide range of organizations including the CIA; British and Israeli intelligence services; Internet companies Google, Microsoft and Mozilla; the social networks Facebook and Twitter; blog host Wordpress and credit-reporting agency Equifax.

The problem is that there is no way for visitors to verify the validity of the certificates. Check the URL, and one sees the https (https://gmail.com, for instance) in the URL that authenticates a trusted site. Click on a browser icon such as a locked padlock, and the window that pops up confirms the certificate was issued by a legitimate certification authority, even if it's a fake one.

Of course, if the browser company knows of the issuance of counterfeit digital certificates under the brand of a legitimate company, it can remove that company's digital certificates from the list of verified certificates, as many did with DigiNotar. But most DigiNotar certificates are legitimate, and if they're not on the list of verified certificate authorities on Chrome, Internet Explore, Firefox and other browsers, legitimate certificates have the same value as the counterfeit ones.

For DigiNotar, the breach has led to its demise; a Dutch court is liquidating the company under that nation's bankruptcy's law (see DigiNotar Declares Bankruptcy). Yet, DigiNotar could prove to be but one small victim of this breach, a footnote, perhaps. That's because functioning in our society, whether in the real or digital world, requires trust. The fundamental precepts of IT security are availability, confidentiality and integrity. Add them together, they equate trust. The DigiNotar breach places in jeopardy those fundamental precepts of IT security. And that puts all of us in jeopardy.