Tuesday, December 30, 2008

Scare Tactics and Security Warnings!

I like looking at big scary apocalyptic events. There's just something...calming...about it. Watching movies where the Earth gets destroyed makes me feel better about the real world and how comparatively un-screwed-up it is. This tendency of mine has spread to the internet, I think. I talked about some crazyness a while back, but today's news is much more fun.

Hackers at the Chaos Computer Conference announced today that they have managed to completely break SSL by using 200 PS3s. Not just that they can spy on communications between hosts communicating over SSL, but that they can brute-force create a "trusted" certificate for whatever they want.

So let me posit a quick scenario. Hackers use the BGP flaw to redirect your bank's traffic to their server, where they've installed a freshly created fake trusted certificate and they man-in-the-middle till the cows come home. Not even two-way authentication can help you then. The best part is that these aren't "bugs" in the applicable protocols as much as flaws in their design.

I suppose in the beginning banks and other lucrative targets can filter known-offenders from their access lists, but the use of botnets will stop that from being an effective tactic.

I wonder if [EDIT] two way PKI will start being cost-effective to implement in that case, since (as I understand it?) the keys and certs aren't being recreated byte-per-byte, they're creating a rogue certificate authority and using that to issue certs. There's a large difference between that and replicating someone's 2048 bit private key. At least, I'm pretty sure. IANAC (I am not a crytpologist).

If the large institutions decide not to do anything, it might get really interesting. Maybe we'll have to go back to writing checks. ;-)