Researcher: Comodo hack demonstrates wider issues with SSL certificates
Trust issues and improper implementation significantly compromise the security provided by SSL certificates, well-known researcher Moxie Marlinspike told attendees of the Black Hat Conference earlier this month, according to an eWeek report.
The certificate authority Comodo, earlier this year, was hacked and tricked into providing certificates for sites owned by Google, Yahoo, Microsoft and Mozilla, according to the publication. Responsibility, eWeek said, was claimed by an Iranian hacker, who may have used the certificates to create man-in-the-middle attacks.
The eWeek report said that Marlinspike went on to assert that this is a real problem for the average internet user, since removing Comodo from one's list of trusted SSL certificate authorities would result in an inability to access roughly a quarter of the entire internet. This, he added, is why browser developers' hands are tied on this issue.
Experts say that the strongest data security defenses possible will incorporate SSL certificates, but developers should not rely on them solely for validation. A holistic, common-sense approach to the protection of valuable data is the most likely to meet with success.