Be Secure

It is said that any security system is only as strong as its weakest link. A team of researchers today proved that point yet again, showing the world how they could use known weaknesses in the encryption technology that protects online transactions to undermine the security around e-commerce.

washingtonpost.com ran an in-depth story I wrote about their findings, along with a sidebar explaining the weakness in a bit more detail. Long story short:


An international team of security experts (pictured at right, thanks to Alexander Klink) showed that they could undermine the system most of us rely on to secure our online transactions, so that even though the browser indicates your connection is encrypted (Web browser address starts with "https://") and vetted by a third party to be secure and authentic, it may in fact be controlled by an attacker offering up a counterfeit Web site designed to steal your information.

Web users are taught early on to look for that padlock and https:// connection when shopping or banking online. Those are features denoting that a Web site has been vetted by a certificate authority (CA), a company that issues digital certificates that are supposed to show that the Web site has been vetted and is protecting all transactions from any would-be eavesdroppers.

There are dozens of CAs in business today. Trouble is, a handful of them still rely on an outdated and insecure encryption method (called MD5) to sign their certificates. What the researchers showed was that they could use those weaknesses to effectively duplicate the signing authority for several CAs, allowing them to forge a certificate corresponding to any address on the Web.