The front page of today’s USA Today carries a chilling warning for web users about the vulnerability of digital certificate authorities, following hacks of three such organizations this summer. There are around 650 of these authorities, and the fact that hacking has been uncovered at three of these in such quick succession should be a cause for genuine concern.
If these reports are correct, then they raise serious questions about the validity of web certification as a means of securing users’ data and identities. They would also appear to support calls for stronger authentication to help protect end user identity.
In the case of DigiNotar, one of the certification authorities which was hacked (and which filed for bankruptcy last week), it is claimed that no banks or financial services were involved in the attack, but it would seem only a matter of time before they too are targeted. The difference, of course, between the sites whose certificates were counterfeited (including Google, Facebook and Twitter) and the online portals of most major banks is the presence of two-factor authentication in the latter. Many large banks have added an additional layer of security to authenticate users, in most cases some kind of token or card reader, and those who have not should now be seriously reconsidering their position. But is it now time for other websites to start following the lead of the financial services and implementing stronger authentication?
MagTek’s president, Annmarie Hart, has been vocal this week in her belief that authentication, rather than encryption, holds the key to protecting data. Her comments will no doubt ring true with many of those across the world who may now be wondering if the websites that they access on a daily basis may in fact be carrying counterfeited certificates.
The real issue is in this case is trust. Without strong authentication methods in place, online identity cannot be trusted. In the past, when certificate authorities were considered safe, then the level of identity assurance provided by a username and password was not strong but sufficient. But if these ‘gatekeepers’ are compromised, this trust is shaken and it prompts organizations to re-examine their security. Strong authentication gives users control of their identity, based upon the requirement for two or more factors to verify that they are indeed who they purport to be. Stronger authentication may well be the best way of winning back some of the trust that the web is losing through incidents like these.