Re: Cert Authorities, Security, etc. -- another anecdote

Hi Noah,

> On 11 Dec 2014, at 3:43 am, Noah Mendelsohn <nrm@arcanedomain.com> wrote:
> 
> Another anecdote for the TAG to consider as it wrestles with issues relating to identity, security and the switch to HTTPs:
> 
> http://threatpost.com/new-version-of-destover-malware-signed-by-stolen-sony-certificate/109777
> 
> In short, hackers (famously) arranged a massive penetration of Sony's network. While there, they apparently stole copies of the keys needed to sign software for use with Sony's CA-authorized certificate, and...they went and signed a version of the very software they had used to achieve the breakin in the first place.

It's pretty universally true that if someone gets access to your credentials (often through bad host security or opsec), they can impersonate you. I know that there's a lot of work going on in IIW, IETF, and elsewhere to improve this situation, but I think most of that focuses around user credentials, not servers.

In this case, AIUI the attackers were able to sign software that had very high privileges -- ultimately not only putting the data that Sony had on client systems at risk, but also those systems themselves, including unrelated data. 

On the Web, we have a more limited exposure; if someone gets Sony's cert (for example), they can impersonate Sony and do things to data stored for Sony's site, but can't manipulate what I do on the rest of the Web, or destroy my system. They might be able to consume a lot of resources, but the damage is relatively isolated.

Of course, this isn't perfect, but it's a lot better than the all-or-nothing privilege model often associated with software installation; what happened to Sony seems like much more of a cautionary tale for signed software than it does for the Web.

Still, worth keeping in mind as we develop more powerful features (especially ones with system access).

Cheers,

--
Mark Nottingham   https://www.mnot.net/

Received on Thursday, 11 December 2014 00:08:33 UTC