This has been a long standing procedure. If you are online and what to have an online identity certificate that identifies you you have been required to go to various third parties(Verisign, GoDaddy just to name two) and pay them to issue you a digital certificate that other folks then accept as being genuinely unique to you. The problem is…now you have placed the security and authenticity of your online identity in the hands of a third party. What happens when, not if, that third party gets hacked? Your online identity has been compromised and now these digital certificates aren’t worth much now are they? This philosophy is very counter-intuitive due to the fact in banking we tell clients…you must be careful to not allow your identity to be stolen and we rail against allowing third parties access to your information. yes for online security we are doing just that? One of the basics is to NOT trust third parties with your information. We spent enormous amounts of time and money trying to prevent this very thing as much as possible. Why are we then spending the same amount of time and money doing just to opposite to verify we are who we say we are when we are talking about the Internet? If you just look at these two side by side..one is best practices and one is backwards. If we are going to tell folks self protection and generation is the way to go why do the opposite online? The RSA company was compromised and now two factor authentication tokens are now all worthless until the RSA generates a new algorithm Comodo just was compromised by a third party of theirs that then compromised their own certificate database for some very high profile sites. If you have not updated your browsers(yes all of them) you could now be receiving bad certificates that say they are genuine but aren’t. Frankly this makes no sense to me. All a third party has to do is screw up once..and ALL of their clients can be affected. You then have to do something like update all of your software or redo all of your dongles once that occurs. I use only self-generated certificates. That way I know they are genuine and aren’t compromised. If i get compromised It’s only me. I don’t see how this reliance on third party for online security is progress.
Brian krebs tweet: as w/ this Comodo cert issue and the RSA mess, I’m struck by how many big security threats r beyond user’s ability to do squat about them
comodo incident listing http://www.comodo.com/Comodo-Fraud-Incident-2011-03-23.html
ms advisory on issue http://www.microsoft.com/technet/security/advisory/2524375.mspx
Steve Gibson on RSA hack http://steve.grc.com/2011/03/19/reverse-engineering-rsas-statement/ follow embedded links too.