Major Browsers To Remedy Web Security Flaws To Avoid Another Major Cyber Breach

By Author: EC-COUNCIL
Total Articles: 68
Comment this article

Major browser makers are beginning to revisit how they handle Web authentication after last month's breach that allowed a hacker to impersonate sites including Google.com, Yahoo.com, and Skype.com.
The efforts are designed to remedy flaws in the odd way Web security is currently handled. Currently, everyone from the Tunisian government to a wireless carrier in the United Arab Emirates that implanted spyware on customers' BlackBerry devices and scores of German colleges are trusted to issue digital certificates for the largest and most popular sites on the Internet.
On Friday, Ben Laurie, a member of Google's security team, said the Mountain View, Calif., company is "thinking" about ways to upgrade Chrome to highlight possibly fraudulent certificates that "should be treated with suspicion."
Google Chrome is a web browser developed by Google that uses the WebKit layout engine. It was first released as a beta version for Microsoft Windows. The name is derived from the graphical user interface frame, or "chrome", of web browsers. As of January 2011, Chrome was the third most widely used browser, and passed the ...
... 10% worldwide usage share of web browsers, according to Net Applications.
Last month's Comodo breach could have been avoided if the technology were widely adopted and glued into major browsers. The Jersey City, N.J.-based company announced on March 23 that an intruder it traced to Iran compromised a reseller's network and obtained fraudulent certificates for major Web sites including ones operated by Google and Microsoft. The FBI is investigating.
Comodo alerted Web browser makers, which immediately scrambled to devise ways to revoke the fraudulent certificates. There's no evidence the certificates were misused.

Peter Eckersley, a senior staff technologist at the Electronic Frontier Foundation who has compiled a database of public Web certificates, says one way to improve security is to allow each Web site to announce what certificate provider it's using.
Each browser trusts as many as 321 certificate authorities equally, a security nightmare that allows any of them to publish fake certificates for, say, Google.com. It's as if hundreds of superintendents in New York City had the master keys to every unit in every apartment building--as opposed to the normal practice of one master key per each superintendent.
Eckersley says browsers should be developing "a way for each domain name holder to persistently specify its own private certificate authority if it wishes to." Once that is established, "mistakes at any one of thousands of other organizations would no longer give hackers a magic key to your systems," he says.
Securing domain names with a technology called DNSSEC will also play a "large" role, he says. The Domain Name System Security Extensions (DNSSEC) is a suite of Internet Engineering Task Force (IETF) specifications for securing certain kinds of information provided by the Domain Name System (DNS) as used on Internet Protocol (IP) networks. It is a set of extensions to DNS which provide to DNS clients (resolvers) origin authentication of DNS data, authenticated denial of existence, and data integrity, but not availability or confidentiality.
Comodo's revelations have highlighted the flaws of the current system. There is no automated process to revoke fraudulent certificates. There is no public list of certificates that companies like Comodo have issued, or even which of its resellers or partners have been given a duplicate set of the master keys. There are no mechanisms to prevent fraudulent certificates for Yahoo Mail or Gmail from being issued by compromised companies, or repressive regimes bent on surveillance, some of which have their own certificate authorities.
Identifying flaws and securing web security would never be an easy task if it was not executed by highly trained information security professionals. Organizations need to implement robust internet security initiatives, including hiring highly trained information security experts in order to avoid security breaches. Information security professionals can increase their information security knowledge and skills by embarking on highly technical and advanced training programs. EC-Council has launched the Center of Advanced Security Training (CAST), to address the deficiency of highly technically skilled information security professionals. CAST will provide advanced technical security training covering topics such as Advanced Penetration Testing, Digital Mobile Forensics, Advanced Application Security, Advanced Network Defense, and Cryptography. These highly sought after and advanced information security conference will be offered at all EC-Council hosted conferences and events, and through specially selected training partners. The launch classes for CAST will be at the upcoming TakeDownCon Dallas, from May 15-17, 2011.

ABOUT EC-COUNCIL
The International Council of E-Commerce Consultants (EC-Council) is a member-based organization that certifies individuals in various e-business and security skills. It is the owner and developer of the world famous Certified Ethical Hacker (CEH) course, Computer Hacking Forensics Investigator (CHFI) program, License Penetration Tester (LPT) program and various other information security training programs offered in over 60 countries around the globe. EC-Council has trained over 80,000 individuals in technical security training and certified more than 30,000 security professionals. EC-Council has launched the Center of Advanced Security Training (CAST), to address the deficiency in the lack of highly technically skilled information security professionals.