Internet Authentications Wild Ride

  /     /     /  
Publicated : 22/11/2024   Category : security


Internet Authentications Wild Ride


BEAST exploit and CA hacks make for healthy debate about the future of Internets authentication mechanisms



From the exposure of new vulnerabilities and exploits in SSL and TLS to the very public attacks against digital certificate authorities, the past several months have been a roller-coaster ride for the reputation of the Internets most fundamental authentication engines. Security pundits opinions vary on what this means for trusted communication on the Internet. Some experts believe the constant influx of bad news is a sign that the Internets trust model is broken, while others say its simply the by-product of the security maturation cycle that the Internets infrastructure will constantly experience.
Five years ago we were still trying to get people to use SSL, so the fact that people are complaining about it today is, in my opinion, really good news because it means people are using it, says Tim TK Keanini, CTO of nCircle. The bad news is that any flawed SSL implementation presents enormous risk because SSL and TLS handle all kinds of secure data, from e-commerce to login credentials.
According to Mike Murray, managing partner for consultancy MAD Security, when youre dealing with something as fundamental to the Internets security infrastructure as SSL, there are always going to be problems with vulnerabilities and exploits popping up on a cyclical basis. He likens it to the years when BIND and Sendmail were issues until something better came along.
Until SSL is replaced, I think this is part of the natural cycle of having something that integral to the infrastructure open to attack, Murray says. The sky isnt falling -- this is the same thing weve had with other pieces of critical infrastructure for a long time. Its painful now, but if it [werent] SSL, it would be whatever else we were relying on that was that important.
Nevertheless, the problems cant be ignored. According to a
report at Black Hat this year
, only about one-fifth of all SSL websites actually redirect to SSL for authentication. And the most recent issues with SSL and TLS surfaced in the past several weeks with the release of Browser Exploit Against SSL/TLS (BEAST), a new exploit found by security researchers Juliano Rizzo and Thai Duong that can perpetrate man-in-the-middle attacks by decrypting parts of an encrypted data screen using JavaScript. The exploit might have been new, but it leans on a decade-old vulnerability.
From a risk and vulnerability perspective, this vulnerability existed for about 10 years now. There has just never been a practical exploit, says Dan Sherman, director of information security for Telos. He believes that, pragmatically, the proof-of-concept BEAST is not too worrisome to day-to-day security practioners. Is it possible? Sure, Sherman says. Is it going to happen all over the place? I just dont see it happening that often.
Still, it was alarming enough to have Mozilla security experts discussing last week whether to disable Java within its Firefox browsers -- something that in and of itself could cause problems for enterprises.
I dont really think they could really go forward and take Java applets out of the equation because even though its not really used on the Internet anymore, I know a lot of companies that use them internally for their own internal sites and applications, Sherman says.
BEAST was just another niggling problem piled on top of the recent scandals against certificate authorities (CAs), such as Comodo and DigiNotar, the latter of which was
driven to insolvency as a result of the fallout
.
The whole trust model appears to be broken. I think people in the early days kind of understood that when they were designing SSL that it was almost like a last-minute hack, says Keith OBrien, adjunct professor of network security at NYU and a distinguished engineer for Cisco. I think we just kind of took it and ran with it, and now were realizing its kind of run out of gas at this point.
OBrien believes one of the big issues right now with Internet authentication is that the dependence on certificate takes away the users ability to make decisions about who to choose to trust. Instead, that decision-making is thrust on browser developers or other centralized figures further up the stack.
As a user I dont have any way to untrust [a certificate or CA] without breaking a lot of other things, he says. If I go to my Web browser and untrust Comodo, I could break a good portion of the Internet from that.
OBrien is among many security experts who believe the answer is in crowdsourced trust as laid out by initiatives such as the Carnegie Mellon University Cylab Perspectives project and Moxie Marlinspikes
Convergence
system. These solutions depend on a list of notaries that a user could choose to use to authenticate a website rather than one centralized CA.
You would have a whole bucketful of notaries, maybe 10 to 20 on your list. You would query those notaries, and those notaries would return in response back to you what they have in terms of certificates for that site, OBrien says. So if youre under a man-in-the-middle attack, obviously what youre reporting as your certificate and what all of the other ones are reporting would be different. The idea is that you would distribute that trust around, and as a user youd be able to change your list to whatever you want it to be.
Have a comment on this story? Please click Add Your Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News

▸ Scan suggests Heartbleed patches may not have been successful. ◂
Discovered: 23/12/2024
Category: security

▸ IoT Devices on Average Have 25 Vulnerabilities ◂
Discovered: 23/12/2024
Category: security

▸ DHS-funded SWAMP scans code for bugs. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Internet Authentications Wild Ride