Paul Vlissidis, technical director of NGS Secure, an NCC Group company, calls for an overhaul of the website certification system.
The Internet is built on trust and confidence. Individuals trust that the websites they visit are genuine; websites trust that the authorities certifying their sites as such are reliable. When this trust is attacked, an infrastructure that underpins the Internet is threatened – and 2011 is the year that criminals have taken advantage of this.
Certification authorities (CAs) provide websites with digital certificates. These certificates assure Internet users that websites are genuine, endowing them with the confidence to, for example, hand over contact details or credit card numbers. A triangular relationship exists between websites, CAs and individuals.
The intractable issue is that there is no organisation sitting above the reams of CAs that are, ultimately, dealing in trust and confidence. There are over 1500 of them – it’s complicated and convoluted, and there’s no overriding standard of security or quality. Ultimately, it’s far too easy for an organisation to become a CA. So what value is being placed on trust?
Rather than be faced with a point where confidence in the Internet no longer exists, we need to amend the system now. What’s required is far greater transparency and clarity, whereby the security standards that CAs attain are public. If providers want to be trusted they need to unite, agreeing standards of security and scrutiny, with external experts performing rigorous audits.
In recent months DigiNotar and Comodo were hit by malicious hackers, KPN Corporate Market discovered a security breach that may go back four years, and Microsoft revoked trust in DigiCert Sdn. Bhd on the basis of poor security practices. As problems like this continue there will come a point when the system is untenable.
Internet trust relies on CAs not only being secure but also being seen to be secure. The onus now is on the industry to put their house in order.