Web commerce hack attack may 'happen again'

A key web security system is no better defended now than when hackers undermined it earlier this year. So said Taher Elgamal, creator of the SSL (Secure Socket Layer) technology that is used to keep many different types of web transaction safe. SSL came under attack in September when hackers stole credentials that let them pose as almost any web firm. The stolen credentials were used to eavesdrop on the Gmail accounts of about 300,000 people. The credentials, known as certificates, were stolen from Dutch security firm DigiNotar. The attack is believed to have been carried out by the same hackers who stole certificates from Comodo in March 2011. In both cases, the attackers used their fake credentials to get at the web communications of people in Iran. Experts believe the hacks were carried out by the Iranian government to spy on the use of social media to organise protests by citizens. A similar attack could be used by cyber thieves who wanted to pose as a bank or web shop to steal cash and credit card information from users. Despite the two incidents and a claim by the hackers that they had access to four other firms that issue SSL certificates, little has been done to defend against these sorts of attacks, said Dr Elgamal, who is now chief technology officer at Axway. "It could happen again," he said. "There's no back-up plan, which is generally a bad security model." Dr Elgamal first developed SSL while working at Netscape and its usefulness led to it being adopted as a standard web technology known as Transport Layer Security (TLS) by the Internet Engineering Task Force. The system guarantees the identity of a website via certificates that are issued by trusted authorities. It is used millions of times every day to re-assure people that they are connecting to the site they think they are. The problem of what to do when certificate issuers were compromised never came up when the original work was being done on SSL/TLS, said Dr Elgamal. "Nobody asked the question of what to do if a certificate authority turns out to be bad," he said. The problem, he said, was not so much with the technology as it was with the firms issuing the certificates. "There's way too many of them," he said. However, said Dr Elgamal, TLS was not a static technology and in fact was regularly updated to tackle some of the shortcomings found by good and bad hackers "It's a big target," he said. "Of course we could design a new one but I don't see what the point of that is as it would just become the next big target." He pointed to updates to TLS which, if widely implemented by browser makers, could defend it from another attack. "The fact that TLS has stood the test of time and there's been problems and the community has worked to fix them tells me it's a reasonable technology," he said.