On the BBC today: Iran accused in “dire” net attack. The implications of this for e-commerce are serious, and point out once again that Internet security is actually important.
The attack was mounted on the widely used online security system known as the Secure Sockets Layer or SSL.
This acts as a guarantee of identity so users can be confident that the site they are visiting is who it claims to be. The guarantee of identity is in the form of a digital passport known as a certificate.
Here’s the problem as I see it.:
Browsers have also been updated so anyone visiting a site whose credentials are guaranteed by the bogus certificates will be warned.
Will be warned. That’s the real problem though. Because of the lacksadasical and haphazard way that many companies attend to the security of their web sites, people are just as likely to receive the same kind of warning about legitimate web sites. Over time they’ve grown accustomed to these warnings and gotten used to clicking through to offending sites despite them. As a result it’s probable that users receiving warnings about real security threats will ignore them and suffer the consequences.
There are lots of reasons we’re where we are right now with Internet security. For the most part it is the result of misplaced investment rather than no investment. Companies have spent obscene amounts of money on hardware “solutions” like firewalls, anti-virus and anti-spam appliances rather than adequately training and staffing internal security departments. They’ve also gotten used to running web sites with expired or “borrowed” security certificates (using a certificate issued for one web site to another). Worst of all, many have completely outsourced security to firms and divested themselves of any internal capability to deal with security issues.