Two recent hacking incidents have highlighted the increasing fragility of the internet’s core infrastructure. They serve as a stark reminder that online security is somewhat illusory.
The weaknesses have been known for some time but the move to implement solutions has lacked momentum.
But events in the past few months may have pushed internet providers to a tipping point.
Comodo Hacker breaks SSL
In March, he hacked a company called Comodo, which is responsible for issuing certificates that underpin the secure internet protocol SSL, or Secure Sockets Layer – a cryptographic protocol that provides communication security.
These certificates are highly visible: you can see them when the padlock icon appears on a browser URL when you are connected to a secure site – for example, your bank.
Essentially, the hacker was able to use Comodo to create fake certificates for sites such as google.com and long.yahoo.com.
This hack was detected and disclosed early and its consequences were limited.
At the time, the hacker was identified as a 21-year-old Iranian national from information that he released.
The hacker wanted to impress the world with his skill, and sought to justify the hack as retaliation against what he perceived as actions by the US and Israel, in particular, in their role in the Stuxnet virus attack against an Iranian nuclear facility.
He insisted he was working alone and not, as allegations had claimed, that the attack was organised by the Iranian Government.
Comodo Hacker reprised
The Comodo hacker promised more to come, and was true to his word. Last month, the Dutch security company Fox-IT was asked to investigate the appearance of a rogue certificate for google.com online.
Although the certificate had been identified and revoked (effectively cancelled) on August 29, the hacker had compromised DigiNotar, the company responsible for issuing the certificate, during the period from June 27 to July 22.
There is evidence the google.com certificate had been used in Iran to fool users into thinking they were connecting securely to Google sites when, in fact, they were probably logging into sites controlled by the Iranian Government.
All communication, emails, usernames and passwords would have been available in unencrypted form.
The fact the certificates were being used to spy on the Iranian people was bad enough, but the problems didn’t stop there.
It turned out that DigiNotar, based in the Netherlands, was also responsible for issuing certificates for the Netherlands Government, among many other companies and organisations.
The hacker had issued 531 certificates from DigiNotar. This caused the browser manufacturers, Google, Mozilla (Firefox), Microsoft and eventually Apple to remove DigiNotar from their list of trusted Certificate Authorities (CAs) and issue patches to their software.
The Dutch Government and other DigiNotar customers will need to replace all of their DigiNotar certificates with certificates from another CA.
TurkGuvenligi breaks DNS
Another hacker (group) was, in the meantime, subverting a different piece of the internet. This hack was by someone calling himself TurkGuvenligi (The Legend) and basically involved a technique of DNS Hijacking.
The Domain Name System (DNS) is the way names such as www.google.com are translated into numbers, allowing programs to communicate with each other over the internet.
DNS Hijacking involves substituting the real address for another one.
So in the case of the TurkGuvenligi hack, sites such as Vodafone, The Register, The Telegraph and National Geographic were pointed to a website with the TurkGuvenligi name and a statement celebrating “World Hackers Day”.
The importance of the TurkGuvenligi hack is that, combined with fake SSL certificates, it means a person would have no idea they were not at the real site.
In the past, security professionals have claimed a spoofed DNS would not matter so much because, if you used a secure SSL connection, the browser would alert you to the fact that the certificate wasn’t correct.
By combining the Comodo Hacker’s exploit with that of TurkGuvenligi’s DNS attack you have a situation whereby literally anyone could fool a very large number of people into thinking there was nothing wrong.
The internet is broken
Society has increasingly come to rely on the internet for almost every aspect of life, from commerce through to health, personal expression and political dissent.
A great deal of this activity relies on being able to operate securely when needed.
When you are using your bank account, buying something online or organising a demonstration against a policy you don’t agree with, you need a secure connection to a legitimate site.
The events of the past few months have highlighted that we cannot rely on the current infrastructure to provide any sort of guarantee of a secure environment.
Solutions to fix the internet?
So, are there any alternatives to the current infrastructure that would be better?
On the SSL side, the Perspectives Project from Carnegie Mellon University has released a solution called “Convergence”.
In this scheme, instead of having a list of Certificate Authorities dictated by the browser, you can nominate people you trust (such as your local university) to validate a site that you are visiting.
The benefit of this is that you can change the list and have as many or as few “notaries” validate the site for you.
Another alternative to DNS that also helps with the SSL problem, but does not completely solve it, is DNSSEC, or Domain Name System Security Extensions, a suite specifications for securing certain kinds of information provided by DNS.
This provides security extensions to DNS and attempts to resolve the underlying problems with DNS hijacking.
Unlike Convergence, DNSSEC requires governments and internet providers to implement the fix. Coordination is only beginning to happen.
Whatever the full extent of the motives of these hackers, a clear outcome is that the internet is vulnerable to exploitation by governments, terrorists, criminals, activists and lulz-seekers.
Staying safe online can certainly be helped by awareness and good security practice, but greater truths are emerging.
Your internet security increasingly comes down to the fact you weren’t in the wrong place at the wrong time.