Fake digital certificate problem way bigger than we thought

A man talks with people on instant messenger during the unveiling of a new CyberCrimes office in Fort Lauderdale, Fla.

Let's back up a little bit so we're sure you know this term: digital certificate. It's an online document (variously also called a digital credit card or a key) that verifies a website is legit. So if you go to Amazon.com, the certificate is what tells your web browser that this is the real thing, not a ripoff site that just looks like Amazon.

The news last week was that someone had broken into a company called DigiNotar and made off with a counterfeited certificate for Google. In theory, this certificate could be used to intercept traffic to Gmail, Google+, or any other Google property. Google, upon hearing of this, blocked the certificate. Now we know that the problem was way, way worse than previously thought.

Kim Zetter of Wired's Threat Level blog has been following this story and reports, "They were actually able to create more than 500 certificates. And these were certificates that would allow someone to impersonate Google. Any actual subdomain on Google, so that would be Gmail, Google Docs. Also Yahoo, Skype, and certificates for the CIA's website."

So does that mean that all those sites are in danger? "No," says Zetter. "It just means that a fraud certificate has been issued. They've been revoked now, as many as they know about. There may be other certificates that they don't know about."

And that unknown is causing a lot of worry. Governments and companies around the world are doing yet more threat assessment. DigiNotar issues certificates for government computer systems and the Dutch government has disabled large parts of its online presence as a precaution.

Someone claiming to be the hacker in question here boasted online about having broken in to four other certificate authorities, including GlobalSign. This week, GlobalSign suspended the issuing of new certificates.

Anup Ghosh of the security firm Invincea says the fakes are hard to detect: "When we use our browser to do a secure connection, whether it's to Google or a bank, we look at the icon which shows it's a secure communication. That icon is based on the presence of that certificate. If the certificate can be forged, we as an end user have no way of knowing that that certificate was forged. In fact, the communication is now going to a different site than the one we think it's going to."

Ghosh says this incident will serve as yet another reminder of how fragile Internet security is: "What we're all learning is that the security companies that underpin the security of the Internet are as vulnerable as anyone else. And we can't take for granted that these communications will remain secure."

Also in this program, Twitter as the new literary salon. Bill Corbett is known as the voice of Crow on "Mystery Science Theater 3000" and as a conspirator at Rifftrax.com. He's now adapting a play he wrote 10 years ago into a Twitter feed: @Heckler4Truth.

About the author

John Moe is the host of Marketplace Tech Report, where he provides an insightful overview of the latest tech news.

Comments

I agree to American Public Media's Terms and Conditions.
With Generous Support From...