Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

11 reasons encryption is (almost) dead

Peter Wayner | May 6, 2014
Massive leaps in computing power, hidden layers, hardware backdoors -- encrypting sensitive data from prying eyes is more precarious than ever

Encryption's weak link No. 11: Certificates can be faked
Let's say you go to PeteMail.com with an encrypted email connection, and to be extra careful, you click through to check out the certificate. After a bit of scrutiny, you discover it says it was issued by the certificate authority Alpha to PeteMail.com and it's all legit. You're clear, right?

Wrong. What if PeteMail.com got its real SSL certificate from a different certificate authority -- say, Beta. The certificate from Alpha may also be real, but Alpha just made a certificate for PeteMail.com and gave it to the eavesdropper to make the connection easier to bug. Man-in-the-middle attacks are easier if the man in the middle can lie about his identity. There are hundreds of certificate authorities, and any one of them can issue certs for SSL.

This isn't a hypothetical worry. There are hundreds of certificate authorities around the world, and some are under the control of the local governments. Will they just create any old certificate for someone? Why don't you ask them?

 

Previous Page  1  2  3  4 

Sign up for CIO Asia eNewsletters.