The paper “ Security Implications of Digital Certificates and Inadequate Legislation” is a fascinating literature review on information technology. Data security is a great concern for every organization, information managers and some individuals, especially internet users. Loss or illegal alteration of data, for instance, can result in awful consequences and huge costs to an organization. Actually, a number of organizations have gone into receivership and disintegrated as a result of their data and information being comprised by criminals. Therefore, it is essential that people and entities entitled to security of data in any information system remain pro-active and have great knowledge of occurring security issues.
This paper highlights, especially to non-technical IT staff, the technical basis and security implications associated with certificate authorities and digital certificates as well as unknowledgeable lawmakers and the resultant inadequate regulations. It proposes that the unchecked rise of certificate authorities coupled with their vulnerabilities to security breaches undercuts merits of digital (authentication) certificates as a security measure. Additionally, the lack of adequate knowledge of the workings and security of the internet systems by policymakers contributes to inadequate guidelines and regulations, which in turn worsens the situation of data security. Rise of certificate authorities and their vulnerabilities to security breachesFor a long time, many internet users have been dependent on the digital certificates and trusted the certificate authorities that issue these certificates.
A digital certificate, which is also known as a public cryptographic key certificate or authentication certificate (Sadeghi & Naccache, 2010; Thomas & Mclean, 2010), is a digital document that utilizes a digital signature to link a public key to a specific identity. The identity is simply the information of an organization or individual, including their address and other related details.
DeRoest (997, p. 87-88) has mentioned that a digital certificate contains at least a distinct name and a related public key. An authentication certificate basically confirms whether a specific public cryptographic key is owned by a specified entity as indicated on the key. Therefore, parties dependent on public keys can trust in signatures (or rather claims) of the private key that match up to the certified public key. This approach of creating trust between the certificate owner and dependant of the certificate becomes practical because of the trust in a third party, the certificate authority, which is entrusted in providing legitimate digital certificates.
A typical public key infrastructure (PKI) scheme includes a certificate authority, which is responsible for issuing the digital signature. A PKI is simply the array of hardware, agencies, people, software, protocols and procedures, and policies that are responsible for the creation, management, and control of digital certificates (Cole, 2011, p. 130; Tittel, 2007, p. 33). Cole ( 2011, p. 142) has mentioned that another variant of PKI scheme known as a web of trust which involves self-signed certificates - the specific user provides the signature, or endorsed certificates which are signed by other users.
It is therefore apparent that a certificate authority ought to not only be highly reliable, credible and trustworthy, but should also be closely controlled and highly secured. Security breaches of certificate authoritiesAn attack on certificate authorities has devastating consequences. This assertion is supported by the recent attacks on a number of certificate authorities. Two certificate authorities, DigiNotar and Comodo were hacked in a similar manner (Bright, 2011b) at two different incidences.
The hacks involved issuing fake authentication certificates for webmail systems and subsequently using the certificates to intercept Internet traffic (Bright, 2011b). The outcomes of the attack on DigiNotar were highly detrimental to the organizations and many web users. The certificate authority lost its reputation and trust, and many web organizations blacklisted its digital certificates. Bright (2011b) has confirmed that digital certificates from DigiNotar have been excommunicated by Google, Microsoft, Apple, and Mozilla. Additionally, secure connections to websites using the DigiNotar’ s certificates could no longer be guaranteed.
One of a very significant user of the DigiNotar’ s certificates is the Dutch government, which means connections to its web sites are insecure. Actually, the Dutch government has alerted the public that safe connections to its websites could no longer be guaranteed as a result of the attack on the Dutch-based certificate authority (Bright (2011b).
Antivirusworld, n.d. How does anti-virus software work? Web. http://www.antivirusworld.com/articles/antivirus.php. [Accessed November 24, 2011].
Bode, K 2010. OpenDNS CEO speaks out against COICA. Web. http://www.dslreports.com/shownews/111694. [Accessed November 29, 2011].
Bright, P 2011a. Another fraudulent certificate raises the same old questions about certificate authorities. Web. http://arstechnica.com/security/news/2011/08/earlier-this-year-an-iranian.ars. [Accessed November 46, 2011].
Bright, P 2011b. Comodo hacker: I hacked DigiNotar too; other CAs breached. Web. http://arstechnica.com/security/news/2011/09/comodo-hacker-i-hacked-diginotar-too-other-cas-breached.ars. [Accessed November 46, 2011].
British Broadcasting Corporation 2011. Arts groups tell BT to block access to The Pirate Bay. Web. http://www.bbc.co.uk/news/technology-15598438. [Accessed November 30, 2011].
Cole, E. 2011. Network security bible. Indianapolis, Indiana: John Wiley & Sons.
Dierks, T. & Rescorla, E 2008. The Transport Layer Security (TLS) Protocol, Version 1.2. Web. http://tools.ietf.org/html/rfc5246. [Accessed November 29, 2011].
Dimcev, A 2011. Random SSL/TLS 101 - SSL/TLS version rollbacks and browsers. http://www.carbonwind.net/blog/post/Random-SSLTLS-101%E2%80%93SSLTLS-version-rollbacks-and-browsers.aspx. [Accessed November 27, 2011].
Giacomello, G 2010. National governments and control of the Internet: a digital challenge. Canberra: Rutledge.
Goldsmith, J & Tim Wu, T 2008. Who controls the Internet? Illusions of a borderless world. Oxford: Oxford University Press.
Goodin, D 2011. Hackers break SSL encryption used by millions of sites. Web. http://www.theregister.co.uk/2011/09/19/beast_exploits_paypal_ssl. [Accessed November 28, 2011].
Halliday, J 2011. British Broadcasting Corporation 2011. Web. http://www.guardian.co.uk/technology/2011/mar/22/isps-urged-to-block-filesharing-sites. [Accessed November 30, 2011].
Jenkins, H W 2011. Rethinking the digital future. Web. http://online.wsj.com/article/SB10001424052970203833104577072162782422558.html. [Accessed November 29, 2011].
Marlinspike, M n.d. New tricks for defeating SSL in practice. https://www.blackhat.com/presentations/bh-dc-09/Marlinspike/BlackHat-DC-09-Marlinspike-Defeating-SSL.pdf. [Accessed November 29, 2011].
Mathew, L 2011. Microsoft Security Essentials accidentally marks Google Chrome as a Trojan. Web. http://www.geek.com/articles/news/microsoft-security-essentials-accidentally-marks-google-chrome-as-a-trojan-20110930. [Accessed October 29, 2011].
McMillan, R 2009. Security pro says a new SSL attack can hit many sites. Web. http://www.pcworld.com/article/182720/security_pro_says_new_ssl_attack_can_hit_many_sites.html. [Accessed November 25, 2011].
Microsoft Corporation 2007. What is social engineering? http://www.microsoft.com/protect/yourself/phishing/engineering.mspx. [Accessed November 24, 2011].
Microsoft n.d. Identify fraudulent e-mail and phishing schemes. Web. http://office.microsoft.com/en-us/outlook-help/identify-fraudulent-e-mail-and-phishing-schemes-HA001140002.aspx.
Mutton, P 2011. Fraudsters seek to make phishing sites undetectable by content filters. Web. http://news.netcraft.com/archives/2005/05/12/fraudsters_seek_to_make_phishing_sites_undetectable_by_content_filters.html.
National Institute of Standards and Technology 2010. Implementation guidance for FIPS PUB 140-2 and the cryptographic module validation program. Web. http://csrc.nist.gov/groups/STM/cmvp/documents/fips140-2/FIPS1402IG.pdf. [Accessed November 29, 2011].
Patricelli, F 2002. E-business and e-challenges. Hemweg, Amsterdam: IOS Press.
Perez, S 2011. With Bitcasa, The Entire Cloud Is Your Hard Drive For Only $10 Per Month. Web. http://techcrunch.com/2011/09/12/with-bitcasa-the-entire-cloud-is-your-hard-drive-for-only-10-per-month. [Accessed November 24, 2011].
Poynter, I 2001. “In pursuit of validation.” Network World. Vol. 18, No. 9. Pp. 73-74
Press Association 2011. British Telecom urged to block illegal filesharing hub. Web. http://www.guardian.co.uk/technology/2011/nov/04/british-telecom-block-illegal-filesharing-site. [Accessed November 30, 2011].
Rescorla, E 2001. SSL and TLS: Designing and building secure systems. United States: Addison-Wesley Publishing Company.
Rescorla, E 2009. “Understanding the TLS renegotiation attack.” Educated Guesswork. Web. http://www.educatedguesswork.org/2009/11/understanding_the_tls_renegoti.html. [Accessed 27, 2011].
Scheidler, B., Slav, P., Benham, M., Krawczyk, P., Hovmark, T., Greene, T.C., walker, R., Miller, C., Lasser, J 2002. IE SSL Vulnerability. http://firstname.lastname@example.org/msg08807.html. [Accessed November 29, 2011].
Stroope, BE 2008. Bibliographic information. Australia: ProQuest.
Sweney, M 2011. BT under pressure to block The Pirate Bay. Web. http://www.guardian.co.uk/technology/2011/nov/04/bt-pressure-block-pirate-bay. [Accessed November 30, 2011].
Tan, KY 2006. Phishing and spamming via IM (SPIM). Web. http://isc.sans.edu/diary.html?storyid=1905. [Accessed November 21, 2011].
Tittel, E 2007. The shortcut guide to securing automated file transfers. San Francisco, California: Realtime Publishers.
Ulevitch, D 2011. An open letter to Congress about SOPA and Protect IP. Web. http://blog.opendns.com/2011/11/08/an-open-letter-to-congress-about-sopa-and-protect-ip[Accessed November 28, 2011].
Wang, X. & Yu, H n.d. How to break MD5 and other hash functions. Web. http://merlot.usc.edu/csac-f06/papers/Wang05a.pdf. [Accessed 27, 2011].
Whitwam, R 2011. How convergent encryption makes Bitcasa’s infinite storage possible. Web. http://www.extremetech.com/computing/96693-how-convergent-encryption-makes-bitcasas-infinite-storage-possible. [Accessed November 27, 2011].
Wilkinson, B 2009. Grid computing: techniques and applications. Boca Raton, Florida: CRC Press.
Wong, G 2011. Diablo 3 beta invitation email phishing scam. Web. http://www.ubergizmo.com/2011/09/diablo-3-beta-invitation-email-phishing-scam. [Accessed November 29, 2011].
Yang, B 2011. Beware of Fake Skype Upgrade Phishing Email. Web. http://www.techairlines.com/2011/05/24/fake-skype-upgrade-phishing-email.[Accessed November 29, 2011].
Zittrain, J 2009. The future of the internet and how to stop it. New York: Jonathan Zittrain.
Zooko 2008. Convergent encryption reconsidered. Web. https://tahoe-lafs.org/pipermail/tahoe-dev/2008-March/000460.html.