The real security issue behind the Comodo hack

News of an Iranian hacker duping certification authority Comodo into issuing digital certificates to one or more unauthorized parties has caused an uproar in the IT community, moving some critics to call for Microsoft and Mozilla to remove Comodo as a trusted root certification authority from the systems under their control. Though the hacker managed his feat by first compromising a site containing a hard-coded logon name and password, then generating certificates for several well-known sites, including Google, Live.com, Skype, and Yahoo, I’m not bothered by the technical issue. Instead, my main concern over Public Key Infrastructure (PKI) and digital certification is that users don’t understand it.

For the most part, people don’t care about digital certificates and the security they could provide. I have a hard time getting worked up about a system error that 99 percent of users simply ignore.

[ Master your security with InfoWorld’s interactive Security iGuide. | Stay up to date on the latest security developments with InfoWorld’s Security Central newsletter. | Get a dose of daily computer security news by following Roger Grimes on Twitter. ]

PKI is not the culprit First, I should point out that the PKI system didn’t fail, at least after the compromise. The designers of PKI realized from the very beginning that fraudulently issued certificates were a fact of life. They invented revocation for it. When the fraudulent activity was noticed, the major involved vendors revoked the certificates and issued security updates inform of the revocation. Security advisories were sent out and the worldwide news picked it up.

In short, the Comodo hacker did something that has been carried off and in all likelihood will happen again. He didn’t accomplish anything significant such as invalidating the math or crypto algorithms relied upon by the world’s PKI subsystems. The latter issue would be far more unsettling.

Blissful ignorance I’d be more concerned about this incident if people actually paid attention to digital certificate errors. However, study after study shows that most people simply ignore such warnings and move around them. I remember a study a few years ago that showed that the more one knows about digital certificates, the more likely one is to ignore certificate errors.

Ninety-nine percent of the world has no idea what a digital certificate is, how PKI works, or more important, what a digital certificate error means for their immediate computer security. I’ve been in many businesses that wholesale ignored or weren’t bothered by digital certificate errors. I remember working with one very large client when Internet Explorer 7 came out along with Windows Vista; the company got mad at Microsoft (my full-time employer) for flagging “all these revoked certificates.” The client had tens of thousands of them.

Within a few minutes, I was able to tell the client that its certificates had been revoked for months; it’s just that early versions of Windows and Internet Explorer didn’t check or warn as much about revoked certificates. Instead of reissuing certificates, which was what I expected, the client (I’m not making this up) decided to switch to Firefox, because Firefox had no problem with those certificates.

In the middle of my complaining about the inappropriate solution, Firefox underwent a major upgrade — and the new version also alerted the client to the revoked certificates. The client’s solution was still not to fix the problem but instead to disable revocation checking in Internet Explorer. When I explained that a revoked certificate was to be treated the same as a malicious certificate, they patted me on the head and sent me on my way.

Traveling, I watch people in airports and in hotels, where almost every site causes some sort of digital certificate error. Today, most browsers unequivocally spell out what accepting the invalid certificate means, saying something like, “Accepting this digital certificate could allow other to see your information or send you to a fraudulent Web site.” I’ve never seen a person who didn’t bypass the error and continue using the bad digital certificate.

I love PKI, crypto, and the absolute safety built into the math. PKI and digital certificates work, for the most part, the way the designers envisioned. In almost two decades of use, I can count the number of fraudulently issued certificates on two hands — out of hundreds of millions or billions issued. PKI succeeds, but overall, when you factor in human behavior, it fails miserably. That’s been a tough lesson to learn and a hard truth to swallow.

Although it’s not good that Comodo was involved in issuing fraudulent certificates, the hack is nowhere near my list of top 10 things I’m worried about on a daily basis. So far, these fraudulent certs have been used only a handful of times, but tens of thousands of people are compromised by a fake antivirus program warning every day. I wish the big problems that affect the most people got the headlines and emotional concern that Comodo has garnered. It’s sort of like how we don’t pay our top scientists nearly as much as our top rock bands and movie stars.

This story, “The real security issue behind the Comodo hack,” was originally published at InfoWorld.com. Keep up on the latest developments in network security and read more of Roger Grimes’ Security Adviser blog at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.