“The (Not Quite) End Of Security On The Internet” – InformationWeek

CAD Quotables

The (Not Quite) End Of Security On The Internet
InformationWeek Security Weblog
By George Hulme
Dec 30, 2008
 
Speaking at the 25th annual Chaos Communication Congress in Berlin, security researchers showed how they developed a rogue (forged) Certificate Authority digital certificate. Yes, this is a big deal. But no, the Internet isn’t broken.

Generally speaking, a certificate authority is the trusted source that signs digital certificates (such as SSL certificates), kind of like a notary does in the physical world. That’s why, when you’re at www.mybankingsite.com, you’ll see a lock in your browser. This should mean that the Web site actually is www.mybankingsite.com and that your Web traffic is being sent to that site through a secured communications tunnel.

But as colleague Mike Fratto explains in his post “Yes, Trust In The PKI Is Broken,” this new research shows that forging digital certificates is possible and practical.

Read the story
http://www.informationweek.com/blog/main/archives/2008/12/the_not_quite_e.html

“Yes, Trust In The PKI Is Broken” – InformationWeek Analytics

CAD Quotables

Yes, Trust In The PKI Is Broken
InformationWeek Analytics
By Mike Fratto
Dec 30, 2008

The trust in digital certificates relies on the fact that the authority issuing the certificate has validated the identity of the person or company making the request and that the digital certificate can’t be forged. New research presented at the 25th Chaos Computer Congress shows that forging digital certificates is possible and practical. Trust in the SSL is now broken.

SSL digital certificates are signed by certificate authorities, or CAs. When you go to an SSL-enabled Web site, the browser checks to see if the certificate was signed by a certificate authority contained in the browser.

Read the story
http://www.informationweek.com/blog/main/archives/2008/12/yes_trust_in_th.html