markem
04-06-2011, 12:05 PM
Here is a link to an article that does an acceptable job highlighting what is the Achilles heel for secure web access (urls that include 'https', where the 's' is about security).
http://www.nytimes.com/2011/04/07/technology/07hack.html?_r=1&hpw
Last fall, I taught a class on how the SSL/TLS protocols work. These protocols are what are in use with 'https'. The idea that you find out about someone's security key by getting a certificate from some place that you trust is a concept called a web of trust (for the truly geeky, google "Merkle's Tree Authentication"). Note that the protocols themselves can be absolutely secure, but if the information in the certificate is fraudulent, you get no security benefit from using that information.
The gist of it all is that security within your web browser only works when everyone plays nice. Fortunately, at this time, everyone plays nice a majority of the time. There isn't a better scheme in place and the present system is so pervasive that, in my opinion, until the fundamental protocols are broken (not likely) the system will remain in place. However, look for more controls on how certificates are added to your browser and perhaps perhaps some mechanism for auditing their validity better at the source.
Comodo is not the first major player to have this happen to, just the one that is being written about.
http://www.nytimes.com/2011/04/07/technology/07hack.html?_r=1&hpw
Last fall, I taught a class on how the SSL/TLS protocols work. These protocols are what are in use with 'https'. The idea that you find out about someone's security key by getting a certificate from some place that you trust is a concept called a web of trust (for the truly geeky, google "Merkle's Tree Authentication"). Note that the protocols themselves can be absolutely secure, but if the information in the certificate is fraudulent, you get no security benefit from using that information.
The gist of it all is that security within your web browser only works when everyone plays nice. Fortunately, at this time, everyone plays nice a majority of the time. There isn't a better scheme in place and the present system is so pervasive that, in my opinion, until the fundamental protocols are broken (not likely) the system will remain in place. However, look for more controls on how certificates are added to your browser and perhaps perhaps some mechanism for auditing their validity better at the source.
Comodo is not the first major player to have this happen to, just the one that is being written about.