Hackers managed to infiltrate an organisation that issues HTTPS web security certificates earlier this month, almost triggering what privacy advocacy group the Electronic Frontier Foundation described as "an Internet-wide security meltdown".
HTTPS certificates allow web site operators to secure online transactions by informing a visitor’s web browser that the site can be trusted. They are issued by certificate authorities, whose responsibility it is to make they are only issued to trusted web sites.
Iran confirms cyber attack on nuclear facilities Iranian president Ahmadinejad accuses West and Israel of infecting nuclear centrifuges with malicious software, widely believed to be Stuxnet
Is cyber attack as threatening as terrorism? The government’s new defence strategy raises cyber attacks to a ‘tier one’ threat
On March 17th, browser makers Mozilla and Google issued software updates that blocked a number of security certificates. An investigation by online anonymity technology group Tor discovered that these certificates had all been issued by the same certificate authority, Comodo.
Following the investigation, Comodo revealed that it had been compromised by hackers that appear to have been operating from Iran. The hackers managed to obtain HTTPS certificates for a number of high profile websites, including Google, Yahoo and Mozilla.
Were it not for the software updates, hackers could have used these certificates to trick browsers into trusting any website they chose.
Comodo says that potential damage was not so great, as the hackers did not get their hands on its master "private keys".
But according to the Electronic Frontier Foundation, the episode has revealed the vulnerability of the current security certification system.
"The incident got close to — but was not quite — an Internet-wide security meltdown," wrote senior staff technology Peter Eckersley yesterday. "As this post will explain, these events show why we urgently need to start reinforcing the system that is currently used to authenticate and identify secure websites and email systems."