THE digital-certificate system that is meant to block eavesdroppers nosing in on secure internet transmissions seems to be in tatters. The problem lies in certificate authorities (CAs), companies which issue digital certificates and vouch for their authenticity. These can in principle create certificates for any domain; browsers and other software interpret any certificate from a recognised CA as valid, even if the domain's actual owner has requested no such document, nor given the CA permission to issue it. Babbage has discussed some solutions, such as a notary network that constantly logs information about secured servers, and provides users with warnings when a browser sees a new certificate appear out of nowhere on a site that has hitherto presented another one. The notary system has the advantage of requiring no fundamental changes to the internet's plumbing or server software. However, if it is to fix the problem it was designed to address—ie, making internet communications safer by replacing the existing certificate authority-based system—it does require widespread adoption. At present, only a few notary servers operate worldwide. Moreover, the special browser plug-ins needed to access them may be blocked in countries where internet users run the greatest risk of being snooped on by governments or other mischief makers—in other words, where users need them most. A useful staging post would be if browsers were programmed to recognise only CAs anointed by legitimate certificate holders. This is called "pinning" a domain and Google added this feature in recent releases of its Chrome browser, along with a separate security feature. In Chrome 13, Google has a pin definition for its Gmail service, which has been the target of hacks in places like China, Egypt and Iran. Read more: The Economist
QR:
QR:
0 comments:
Post a Comment