Internet security is busted, said researchers at the Black Hat conference in Las Vegas today.
If this sounds familiar it’s because just a year ago, Dan Kaminsky (pictured left) found a flaw in the Internet’s address book, the Domain Name System, where hackers could fool DNS servers into redirecting traffic to bogus sites. The tech industry pulled together quickly to patch the hole and minimize the vulnerability.
The same thing happened here, as Kaminsky rounded up a coalition of companies to deal with a weakness in X.509, a cryptographic system used to create digital certificates. The digital certificates are the way that a web site can verify the identity of a unique users who is visiting the site and wants to do a transaction. It’s a lot like using a passport photo to identify someone standing in front of you. Everyone from Amazon.com to Microsoft uses it in so-called digital handshakes that precede e-commerce transactions.
When Kaminsky walked into the standing-room only auditorium where he talked about the flaws in X.509, he got a lot of applause. You would never know that a day earlier his own personal web site, Doxpara.com, got hacked. But Kaminsky held the crowd spellbound as he elaborated in great technical detail. Then he got started describing what he called the “crisis of authentication.” He showed that by altering a line in a digital certificate, hackers could fool users into believing that a site is legitimate when it really isn’t.
Businesses have invested hundreds of millions of dollars in the public key infrastructure system that was developed in the 1990s. Now Kaminsky, as well as grad student Len Sassaman (second from right) says we need to reboot the system. Tim Callen, (pictured far right), a vice president at Internet infrastructure authority VeriSign, pretty much agreed.
It’s a very arcane debate, and the risks of compromise aren’t entirely clear. It’s not easy to perpetrate attacks, but Kaminsky, as well as another researcher, Moxie Marlinspike (third from left), showed it is possible. At stake is trust in the Internet itself and electronic commerce. If sites such as eBay can’t authenticate who you are when you visit their site, make a purchase and pay with a credit card, then they simply lose a lot of business. Or lose their shirts to fraudsters.
“There’s an issue here,” Kaminsky said at a press conference at Black Hat. ” The Internet is broken. We want to fix it.”
One of the temporary fixes available is that browser vendors can block the use of particular kinds of X.509 implementations. VeriSign can also change the way it does things. But the road to fixing the problem permanently isn’t easy. One way is for companies and Internet overseers to accelerate the transition to DNSSEC, which is a secure extension of the Internet’s Domain Name System, the Internet’s address book. Making sure that everyone makes this shift could take years. But DNSSEC can at least fix both problems and more, whenever it is adopted. Smart cards would be another way to improve authentication, but they are by no means universal in use among either businesses or consumers.
Kaminsky said people have asked him if we should just rebuild the Internet from a secure point of view. But he said that doesn’t take into account existing infrastructure and is like building a city in a forest with no roads or highways leading to it. He says researchers have to work with the system we’ve got while coming up with long-term plans to shift to a better foundation.