Biggest internet service security flaw: root certificates
32 2013-08-12 by colordrops
When the security of internet transactions comes up, people generally focus on the technical aspects such as encryption algorithms and the like. But the biggest flaw of all is being ignored. When a secure web server is set up, the owner purchased a certificate from a certificate "authority". The only thing required to become an authority is to have browser makers agree to include your certificate with the browser. There are hundreds of certificate authorities, and all you need is one to cooperate with the government to create fake certificates for man in the middle attacks. With the PRISM program it has become obvious that corporations will work with the government to breach security, so there is no reason to trust root ccertificate authorities.
tl;dr: secure web transactions (https and SSL) are an illusion
5 comments
5 Lord_NShYH 2013-08-12
Agreed - root certificates are dispensed by a cartel. Yes, you can setup your own PKI, but no-one is going to trust your "self-signed" root certificates, and all modern web browsers will intimidate the casual user away from your site with verbose warnings that you may be entering a malicious site.
2 knappis 2013-08-12
No need to set up your own if you can just issue an NSL and get access to one of the trusted ones.
1 Lord_NShYH 2013-08-12
But trust is the issue here. Why should I trust a root certificate from the cartel or those associated with them?
2 knappis 2013-08-12
That is my point. If the NSA has issued a NSL you wouldn't know about it (gag order) and they would have all the keys they need.
3 texdeveloper 2013-08-12
IMHO the problem is that there is no alternative technology yet. I would love to see decentralized encryption used for public web pages, but the technology cannot support it yet.