London, Oct.19 (ANI): The creator of the Secure Socket Layer (SSL) technology that is used to keep many different types of web transaction safe, has warned that this key web security system is no better defended now than when hackers undermined it in September.
According to Dr. Taher Elgamal, "It could happen again. There's no back-up plan, which is generally a bad security model."
SSL came under attack in September when hackers stole credentials that let them pose as almost any web firm. The stolen credentials were used to eavesdrop on the Gmail accounts of about 300,000 people.
The credentials, known as certificates, were stolen from Dutch security firm DigiNotar.
According to the BBC, the attack is believed to have been carried out by the same hackers who stole certificates from Comodo in March 2011.
In both cases, the attackers used their fake credentials to get at the web communications of people in Iran. Experts believe the hacks were carried out by the Iranian government to spy on the use of social media to organise protests by citizens.
Despite the two incidents and a claim by the hackers that they had access to four other firms that issue SSL certificates, little has been done to defend against these sorts of attacks, said Dr Elgamal, who is now chief technology officer at Axway.
Dr Elgamal first developed SSL while working at Netscape and its usefulness led to it being adopted as a standard web technology known as Transport Layer Security (TLS) by the Internet Engineering Task Force.
The system guarantees the identity of a website via certificates that are issued by trusted authorities. It is used millions of times every day to re-assure people that they are connecting to the site they think they are.
The problem of what to do when certificate issuers were compromised never came up when the original work was being done on SSL/TLS, said Dr Elgamal.
"Nobody asked the question of what to do if a certificate authority turns out to be bad," he said.
The problem, he said, was not so much with the technology as it was with the firms issuing the certificates.
"There's way too many of them," he said. (ANI)
|
|
Comments:
