Following the news that Google has published a list of certificate authorities that it doesn’t trust, Brian Spector, CEO at MIRACL, comments:
“The fact that Google needs to keep a log of all the dodgy certificates out there shows just how prevalent this problem really is. As we have seen time and time again, any determined and well funded attacker can keep trying the myriad of commercial certificate authorities until one with lax controls issues a legitimate code signing certificate.
It’s great to see Google making such efforts to protect users. But despite their best intentions, this latest initiative is basically an attempt to patch a problem that can’t be patched. The problem is architectural – it’s based on outdated public key infrastructure that creates a single point of compromise on the internet. The best thing to do is start over with a new system which distributes trust across multiple points. If we do nothing, fake certificates will destroy the trust architecture on the Internet, and once trust is gone, you can’t get it back.”
[su_box title=”About Brian Spector” style=”noise” box_color=”#336588″][short_info id=”60907″ desc=”true” all=”false”][/su_box]
About the Author
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.
