Another one bites the dust

Dan Goodin reports in last Thursday’s Register that Netherlands-based KPN Corporate Market “has stopped issueing secure sockets layer certificates after discovering a security breach.” The details and a screed about the brokenness of SSL follow.

From the article:

Netherlands-based KPN Corporate Market said it was taking the action while it investigated the compromise, which may have taken place as long as four years ago.

Four years ago. Let that sink in. It did for Dan, who opines:

The compromise underscores the fragility of an SSL system that’s only as trustworthy as its most insecure, or most corrupt, member. With more than 600 certificate authorities trusted by the Internet Explorer, Chrome, and Firefox browsers, all that’s required to mint a near-perfect replica of a credential for Google Mail, or any other website, is to pierce the defenses of a single authority’s certificate issuance system. And with some of the authorities residing in countries such as China, it’s not a stretch to imagine them being compelled to issue fraudulent certificates

In fact the article url (as opposed to the title) really says it all:

“ssl_still_hopelessly_broken.”

The SSL certificate business has been a money-making success for lots of people over the years, including one pay-as-you-go astronaut (Thawte founder Mark Shuttleworth), but efforts to improve the security of the system have run afoul of mostly “corporate politics” (or sheer momentum) over the years — not to mention resistance from commercial vendors who didn’t want to invest in something they weren’t sure they could sell their customers.

Maybe it’s time to re-examine all that and come up with an actual… strategy?