Access Calls for Critical Fixes to Ubiquitous Web Security System

E-Commerce. The financial sector. Health care systems. Social Networks. All of these and other secure web communications rely on the SSL Certificate Authority (CA) System. SSL verifies trust in a confidential transaction, and relies on third parties, called Certificate Authorities, which manages this trustworthiness.

There have been numerous security breaches in 2011, but the compromise of DigiNotar, a Dutch CA with a market share of just 0.016%, shows the widespread effect these weaknesses present. In the Digitnotar case, valid SSL certificates were issued to parties not associated with the institutions and organizations listed on the certificates for over 500 websites.

In response, Access today is releasing “The Weakest Link in the Chain: Vulnerabilities in the SSL Certificate Authority System and What Should be Done About Them.”

Read here: https://www.accessnow.org/weakest-link

This policy brief (attached) not only examines the seriously alarming problems with the current system, but also proposes several practical policy recommendations on how to shore up the security of the SSL CA cryptosystem.

“While civil society bore the consequences of the DigiNotar breach, imagine what organized cybercriminals would have done to the financial world had they discovered and perpetrated similar attacks on HTTPS,” said co-author Gustaf Björksten, Technology Director of Access. “We need to implement all that is possible immediately to shore up the security of the SSL cryptosystem before another breach occurs.”

Free Egyptian Blogger Alaa

The paper outlines the two major weaknesses currently found in the SSL CA system — the overcommercialization of CA responsibility and the loss of confidence in these systems by merchants, organizations, and end users. While several organizations have stepped forward offering technical solutions to replace or patch the weakened system, these all require a considerable amount of time and do not address necessary short-term fixes. In “The Weakest Link in the Chain,” Access presents procedural, structural, and policy changes that can be quickly mandated, adopted, implemented, and enforced to strengthen the current system. These include:

• Creating a global governing body to oversee all CAs
• Establish a comprehensive database of all CAs
• Support the research and creation of new, effective mechanisms, for users of the system to verify the validity of certificates and components within the system
• Close loopholes in the certificate revocation system
• Educate users on these complex systems and how they can tell if they’ve been compromised

This ubiquitous system has served the web well for some time, but security weaknesses will continue if these serious issues are not addressed.

“The current situation is untenable and must change. Compromises to the SSL CA system can be a matter of life and death for activists on the ground, who historically have been the target of such attacks,” said co-author Jochai Ben-Avie, Policy Director of Access. “It is essential that the system be brought back to a level of security so vendors and users regain confidence in their transactions and communications on the internet.”

Read the paper here: https://www.accessnow.org/weakest-link

For more information, please contact Access’ Campaign and Media Strategist Mike Rispoli at mike@accessnow.org

Access is an international NGO that promotes open access to the internet as a means of free, full, and safe participation in society and the realization of human rights.