[ISN] Is SSL Cert Holder ID Verification A Joke?

From: InfoSec News <alerts_at_private>
Date: Tue, 24 Jan 2012 03:03:50 -0600 (CST)
http://www.darkreading.com/authentication/167901072/security/news/232500346/is-ssl-cert-holder-id-verification-a-joke.html

By Ericka Chickowski
Contributing Editor
Dark Reading
Jan 24, 2012

With the release of the BEAST exploit and subsequent scrambling by 
browser vendors to close up vulnerabilities against SSL authentication, 
many Web authentication discussions have been focused on the SSL/TLS 
protocol’s weaknesses in recent months. As some IT professionals 
explain, though, some of the biggest problems with SSL have nothing to 
do with the technology. Instead, the woes are attributed to poor 
practices. According to some, one finger should be pointed at 
certificate authorities, which they say need to do a better job 
confirming the identity of certificate holders in order to bolster the 
trust placed in SSL certificates.

“SSL has been burdened with procedural failures, not technical ones. The 
issue is simple in concept, and complicated in execution: verifying a 
user's identity can't be done reliably by a machine,” says Bill Horne, 
who runs William Warren Consulting. “At some point, anyone who is trying 
to convince web users that their PKI certificate is valid must venture 
into meatspace and show up before a neutral third party to prove that 
they--or their company--are entitled to use the name that's on their 
X.509 PKI certificate.”

Chet Wisniewski, senior security advisor at Sophos, echoes Horne’s 
sentiments, stating that he doesn’t think that the SSL protocol is 
broken aside from the fact that it relies on the antiquated model of 
relying on central CAs.

“The methods they use to verify your identity are a bit of a joke. You 
can get an SSL certificate for just about anything. For $19, which is 
what these certs cost, they're domain-validated, which just doesn't mean 
a lot,” he says. “As far as I'm concerned, having those certs there is 
better than nothing because it protects you against things like 
Firesheep. But they should be free and the fact that they say they 
validate who (the certificate holders) say they are, it’s just horse 
manure.”

[...]


_____________________________________________________
Did a friend send you this article? Make it your
New Year's Resolution to subscribe to InfoSec News!
http://www.infosecnews.org/mailman/listinfo/isn
Received on Tue Jan 24 2012 - 01:03:50 PST

This archive was generated by hypermail 2.2.0 : Tue Jan 24 2012 - 01:25:30 PST