Oh you’ve got to be kidding me.
A published report came out a bit ago about a hacker who basically destroyed the entire trust relationship scheme on the internet. I’m talking about digital certificates, those little pieces of computer code that verify the identity of a web site, or are used to secure a web connection between a server and a user. So why is this important? When you connect to a web server and see that little green title-bar or a closed lock icon, you know your connected to the right site and that the data you send back and forth is secure, encrypted and protected.
This hacker allowed a third party to crack that protection and view everything that was being transmitted. Now this might be a danger for those of us who bank online, but it was horrible and life threatening for activists in Iran. It turns out that the hacker gave this ability to the Iranian government who then used it to keep tabs on these activists during the Arab spring.
So how did the hacker manage to do this? It was sadly easier then you’d think. The company who issues these very important certificates was slack. Very, very, (very, very, very,) slack. The audit revealed that the company’s servers had malicious software, lacked anti-virus software and all used the same very simple password.
This is a company who is charged with protecting the security and safety of the entire Internet. Their servers issue certificates that prove the trust relationship and other certificate servers believe them and then users believe these servers. Sigh. If these “security experts” aren’t keeping up with basic security practices what chance do we have?
~Geof “certificate revoked” Franklin