The Comodo Smirk
Contrary to what the Dalai Lama may have us think, people are not all goodness and light with the occasional slip up. In western societies the philosophy du jour seems to be ‘greed is good’ and everyone looks out for their own selfish interest. Often this is dressed in clothes called capitalism or free trade and is positioned as a form of realism. I have heard it suggested anyone who tells you life is different from this is a naive idiot.
In that light we have the Comodo hack where someone stole a root certificate and signed themselves bogus SSL certificates for major domains like Google, Skype, Mozilla and others. This happened middle of last month so the dust has settled and we now see the fallout in the light of day.
We know the foundation of security is trust and in a browser based world SSL is touted as “secure”. SSL certificates don’t have to be issued by a central provider, we sell plenty of appliances that use self signed certificates. That’s saying ‘we are who we are because we say it is so’. But self signing is for devices we know and installed ourselves so the issue of trust isn’t an issue.
Obviously people need to access public systems and know a party is who they claim to be. SSL has in it’s design the idea of a third party who issues the certificate and verifies the customer is who they claim to be, thus creating a level of trust. We call this third party a Certificate Authority. In the case of Comodo trust has been totally lost. The hacker isn’t Microsoft or Google or Skype and the stolen certificates will certainly not used in legitimate ways. It’s no better than my self signed certificates.
Now to the juice, the guts, the rub of the matter. Browsers trust these certificates because they are signed by the Comodo root certificate. What is supposed to happen after trust is stolen is – WE NO LONGER TRUST THE COMODO ROOT CERTIFICATE. This is called revocation. The Comodo root certificate should be removed from a position of trust in your browser, but you and I can’t do this, only the browser guys can do this for us.
So why hasn’t this happened?
Because it’s about selfish economic gain and not about doing what’s right. Browser companies get no financial gain from revoking Comodo and may risk being sued by Comodo if they do. So the buck has been passed to the end user making a mockery of the principles of revocation and opening the door to the hacker.
If selfish financial gain is the only lever these people respond to — they should be fined.
Comments
Post new comment