As stated in my previous blog post, SSL
(Secure Socket Layer) is meant to enable encrypted data to be
transferred over the internet, while PKI (Public key infrastructure)
is meant to distribute and verify certificates to users (websites,
programs, etc) that signify a legitimate source and secure data. Data
sent by SSL that has a PKI certificate is not meant to be inspected
by anyone, except for the parties involved in the requests and
responses.
Mozilla is a company that has most
notably been providing service to the public via a web browsers, and
tools for said browsers, for several years. The Firefox browser for
desktop and mobile devices, Camino for Mac OS X, and the Thunderbird
e-mail client are among the many tools they offer from their arsenal.
Mozilla browsers has been very highly regarded among many PC and
mobile device users. As of late, in light of all the privacy and
piracy controversy, Firefox's Do-not-track, Private browsing, and
simple yet powerful ability to disable cookies, are all features that
attract potential users.
Recently in the news, Mozilla has has requested that CA Certificates be revoked from certain entities who abuse the certificate in a way that violates the main philosophies of the Digital Certificate Authority. The Core of the issue is the SSL-encrypted traffic will be certified to be sent to, from, or through entities/companies' networks. This is made possible by the fact that if you have a certificate, you are essentially 'trusted' by the browser thus allowing for this loophole. This loophole allows for a man-in-the-middle style breach of security, or cognitive hacking through spoofing of safe sited. This is what a company called Trustwave ended up doing. They were using the certificate to spy on Inter-network traffic.
My question is, what can justify these actions? Is a network private property? It certainly, by law, is considered private property if a hacker breaks in. But suppose your internet traffic on a university network, you being a student or faculty, was spied on and allowed for the theft of sensitive information? Would that be in the network owner's right to do so, since it's their network? Or should internet traffic be private property to an extent? Trustwave ended up using the defense that inspecting such internet traffic within the network is a standard in the industry.
This
article explains in simple terms how certificates work and how
one can be compromised by malicious use of them, and also common
sense ways to protect yourself. Also This
articleexplains in decent detail how Trustwave, knowingly or
unknowingly, started issuing certificates that were used for spying.
Certificates and Encryption are a huge
deal for us internet folk. These “Verified Safe” and “Trusted
Site” symbols make us feel at ease when typing in our sensitive
credit card, social security, and phone numbers. It's a bit unnerving
how easy it actually is to fake the fact that you are Google, Yahoo
or Ebay, given the right resources. I think that either these systems
need to be locked down even tighter, or some new system needs to be
developed (if it has not been started already) to bolster the
security and assurance that we get when we as internet users see
“Verified/Secured/128bitSSL”
This sort of goes hand in hand with
cryptography and internet ethics, which really interests me. I'd like
to do some more research on the subject and definitely sort out my
misinformation that I have been swallowing these past few years. I'll
try to keep this subject close to my heart and start doing more posts
about it!
No comments:
Post a Comment