I am incredibly surprised by this post from what I usually find to be a very high quality website. I am even more surprised at the amount of people going Yah! the whole PKI things sucks. I know a lot of cryptography concepts are hard for most people, but seriously, have any of you even tried to attack the infrastructure.
I know it sounds really easy, but is actually quite complicated to do. Now that’s not to say it’s impossible, because there have been issues in the past, but honestly, the number of occurrences is slim compared to other sorts of identity based crime. I definitely feel safer doing my banking online then I ever would receiving my bank statement in the mail.
But let’s really take a look at the problem, you are saying that why do you trust the CA when it may issue a certificate that it shouldn’t. But hell, why don’t you take it one step further, why do you trust the browser that puts its trust by default into the CA’s that may not perform proper checks? You may say it’s the CA’s fault for issuing the certificate, but why do we trust Firefox and internet explorer so much too even accept that CA?
Besides this, the largest issue that exists is signing a signature for a derivative of a domain. google.com vs. gooogle.com (notice the extra o? a lot of people might not). A DNS interception with redirection or even cyber-squatting the typo, and a properly signed certificate, and the browser will not even alert you. This is enough to fool most people, but what absolutely cannot take place assuming the CA hasn’t given a certificate to the wrong person, is if you go to google.com, it will only be secured by the real google.com.
For those of you who think authentication shouldn’t be part of SSL, it absolutely has to be done somewhere, or else you just broke the entire damn thing, do your research people, since your going to need to do some sort of cryptographic challenge for authenticity.
But do you know what really scares me most? What if these Botnet runners and spammers stopped sending spam, and put these massive computational grids against breaking one of the larger CA’s encryption keys? It may take awhile, but if accomplished this entire secured infrastructure could be taken down. I work for an ISP in Canada, and could easily modify our customer facing DNS servers to redirect all our major banks web traffic. Combined with Verisign’s private key and even the best professionals will be tricked.
Time to edit my hosts file to statically point to the websites I wish to visit.