Monday, 12 September 2011« Fortify Insider Threat Rulepack now supports .NET | Main | The Perils of Encodings »
A presumably lone-but-patriotic hacker, known only as the Comodo Hacker, has been making the rounds in the news recently for compromising several of the most widely-used certificate authorities (CAs). The attacker forged certificates of several well-trafficked sites including Gmail, Microsoft, and Skype, which allowed intermediate proxies to spoof as the target website. As a result, email communications of some 300,000 Iranian users may have been monitored.
While the incident has sparked much political debate as well as an interest in the identity of the hacker, it reminds us of one of the basic security tenets: a chain is only as strong as the weakest link.
For instance, Google is known not only for its technical merits, but for its track record of protecting user privacy in spite of pressures from Big Brother-type governments. This self-proclaimed "do no evil" philosophy has attracted many users in politically sensitive regions to trust Gmail to keep their emails secure. In fact, over the course of this incident, Google was proactive on protecting the security of its users, carrying out its due diligence with constant updates in its blog and urging Iranian users to double-check their account settings. In this case, however, personal email messages were able to be compromised because Google, as a web company, is unavoidably reliant on web browsers to handle digital certificates. The victim of Comodo Hacker's attacks was one of the many other CAs trusted by popular browsers—one that wasn't even used by Google in the first place!*
Of course, building on top of the work of others is not only a fact of life, but is what drives technology forward at such a rapid pace. The series of intrusions are a grim reminder that we must be mindful when trusting third-party libraries and components. It is important, but not enough, to secure just your own applications, but also take into account possible vulnerabilities in any components that you use.
* Edit: The original text stated that the compromised CA was the one used by Google. This was not the case, as the attack was on a different (but browser-trusted) CA. Thanks to Desperate Olive for pointing out the error!