Deprecated: Function create_function() is deprecated in /home/hidefide/public_html/blog/wp-content/plugins/wr-pagebuilder/core/core.php on line 127
{"id":244,"date":"2015-11-06T14:11:55","date_gmt":"2015-11-06T14:11:55","guid":{"rendered":"https:\/\/icaruspressblog.wordpress.com\/?p=244"},"modified":"2019-04-17T12:12:12","modified_gmt":"2019-04-17T12:12:12","slug":"latest-ssl-certificate-breach-sparks-renewed-interest-in-phone-booths-typewriters-fax-machines","status":"publish","type":"post","link":"https:\/\/hidefideas.com\/blog\/2015\/11\/06\/latest-ssl-certificate-breach-sparks-renewed-interest-in-phone-booths-typewriters-fax-machines\/","title":{"rendered":"Latest SSL Certificate Breach Sparks Renewed Interest in Phone Booths, Typewriters & Fax Machines"},"content":{"rendered":"

$\"selectric.jpg\"$ With the world about to end on Tuesday<\/a>, you probably have more pressing matters on your agenda, like kissing your kids goodbye, donning your tinfoil hat, booking the first available space ark to Mars, and spending some last loving moments with the one you love the most \u2013 the Internet \u2013 using that quality time to finish those Torrent downloads, grab some Web porn for the long trip, and search for a good recipe for soylent green. But just in case the Earth doesn\u2019t get into a smackdown with an asteroid the size of an aircraft carrier and we\u2019re not all converted into the cosmic equivalent of a badly shipped box of corn flakes, you may want to take note of the latest SSL Certificate security breach. And when you hear how long the purported malware has been infecting their servers, you may be tempted to dust off your old typewriter and dig your fax machine out of the rummage pile in the basement.<\/p>\n

The encryption method that provides nearly every secure online transaction today is reliant upon third parties \u2013 the Certificate Authorities \u2013 to ensure that every connection is digitally signed as a reliable source; so what if those certificates are compromised? Well, for starters, we may be taking on some new computer overhead in the form of botnets or spyware. But that\u2019s just speculation, right? CAs offer secure digital transactions and we can all sleep at night, right?<\/p>\n

[Sigh]<\/em>. The hits just keep on coming in a year that has seen massive security breaches<\/a> and data breaches<\/a>, the unprecedented rise of hacktivism<\/a>, the hacking of SSL\/TLS<\/a>, deadly new botnets<\/a> and smarter spammers<\/a>. Amidst all these high-profile stories, it may be tempting to turn a blind eye from a number of security breaches at SSL Certificate Authorities in 2011, and in case you were wondering, there have been a few. In fact, more than a half dozen CAs have been breached this year, including four different Comodo resellers<\/a>, DigiNotar<\/a>, StartSSL<\/a>, and the ubiquitous GlobalSign<\/a>. Now, the fine people over at The Register are reporting<\/a> that KPN Corporate Market, based in the Netherlands, has ceased issuing any new Secure Sockets Layer certificates after it discovered attack tools stored on its servers.<\/p>\n

The tools in question were Distributed Denial of Service (DDoS) attack mechanisms and while that may seem like serious business to most of us, KPN wants to assure us that it probably isn\u2019t anything to worry about. \u201cThere is no evidence,\u201d The Register states, \u201cthat the compromise affects KPN servers used to generate the certificates that Google, eBay, and millions of other services use to cryptographically prove their websites are authentic, rather than easily created imposters. But the possibility \u201ccan not be completely excluded,\u201d KPN officials said in a statement issued Friday<\/a> (Google translation here<\/a>).\u201d<\/p>\n

Okay, it most likely isn\u2019t anything. Well, it could be something, but how can anyone possibly know? I mean, it\u2019s not like the malicious software has been sitting there on the certificate servers, for like, oh, I don\u2019t know, four years or anything. Right?<\/p>\n

KPN states that they were taking action while they continue to investigate the breach, \u201cwhich may have taken place as long as four years ago.\u201d<\/p>\n

C\u2019MON, MAN! Four years<\/em>? Are you freaking kidding me? To put that into perspective, that\u2019s one-fifth of the lifetime of the World Wide Web. CA\u2019s are supposed to be the front line of defense against botnets, spyware, adware, and a host of other security risks. I don\u2019t know if it\u2019s even possible (I\u2019m sure it is) to estimate just how many certificates have been assigned in four years, but when you consider the aforementioned breaches of other CAs \u2013 all this year \u2013 it makes one wonder if we\u2019ve been treading water in the River Styx all these years. \u201cThe compromise underscores the fragility of an SSL system that’s only as trustworthy as its most insecure, or most corrupt, member,\u201d notes The Register. Around since 1994, there is plenty of speculation today to suggest that SSL is truly broken<\/a>.<\/p>\n

The Register points out that there are more than 600 CAs trusted by today\u2019s mainstream browsers and all that\u2019s needed to forge a replica of a credential for [insert website here] is unauthorized access to one CA. From an anti-spam perspective, it\u2019s bad enough that we have to worry about the websites that represent a clear and present danger. What happens when we can\u2019t trust any sites?<\/p>\n

Why don\u2019t you type me up a letter on your shiny new IBM Selectric and let me know?<\/p>\n","protected":false},"excerpt":{"rendered":"