Comodo Compromise Demonstrates Need for DNSSec Migration
Comodo, a company you probably never heard of which holds one of the many master keys to the Internet’s SSL X.509 Public Key Infrastructure (PKI) system, admitted that their root certificate authorities have been compromised by attackers. Those attackers issued themselves SSL certificates for seven companies including Google, Skype, and Yahoo so they can fully masquerade as one of the seven companies with legitimate looking SSL certificates. Comodo responded by revoking those certificates, but that won’t offer full protection until every device on the planet replicates the revocations and we have only Comodo’s word that more certificates haven’t been compromised.
This attack highlights a much more fundamental problem with X.509. A lot of large companies will say “oh but we use more reputable certificate authorities for SSL”, but it doesn’t matter because the fundamental weakness of X.509 allows any one of the many certificate authorities to compromise the entire SSL PKI system. Any nation (including rogue states) have access to the master keys. Anyone willing to spend around $40,000 can simply buy themselves access to a root certificate (essentially a “master key”) that would allow them to create any SSL certificate they desire. Although the terms of the root certification signing authority contractually forbid buyers from abusing their root certificate, it’s a useless trust based on the honor system.
DNSSEC is a new secure Domain Name System (DNS) that also has the ability to replace the fundamentally weak X.509 PKI system. DNSSEC security is vastly more secure because of the following design features.
- Only the DNSSEC roots have master keys. By comparison, there are dozens of root authorities for X.509 and anyone with $40K or anyone who compromises one of the many root authorities have access to the master key.
- Each DNSSEC root doesn’t have a full master key. The .com root can’t sign for the .ca or .cn root.
- DNSSEC delegates limited signing authority to each domain owner. Each domain owner can sign their own certificates for their own servers and users, but they can only sign it for their own domain which eliminates the threat of signing abuse present with X.509.
- Domain owners don’t need to pay hundreds of dollars for each server or user certificate like the current X.509 racket. Not only does this save money, it removes barriers for the adoption of secure communications.
[Cross-posted at Digital Society]
A message from John Furrier, co-founder of SiliconANGLE:
Support our mission to keep content open and free by engaging with theCUBE community. Join theCUBE’s Alumni Trust Network, where technology leaders connect, share intelligence and create opportunities.
- 15M+ viewers of theCUBE videos, powering conversations across AI, cloud, cybersecurity and more
- 11.4k+ theCUBE alumni — Connect with more than 11,400 tech and business leaders shaping the future through a unique trusted-based network.
About SiliconANGLE Media
SiliconANGLE Media is a recognized leader in digital media innovation, uniting breakthrough technology, strategic insights and real-time audience engagement. As the parent company of SiliconANGLE, theCUBE Network, theCUBE Research, CUBE365, theCUBE AI and theCUBE SuperStudios — with flagship locations in Silicon Valley and the New York Stock Exchange — SiliconANGLE Media operates at the intersection of media, technology and AI.
Founded by tech visionaries John Furrier and Dave Vellante, SiliconANGLE Media has built a dynamic ecosystem of industry-leading digital media brands that reach 15+ million elite tech professionals. Our new proprietary theCUBE AI Video Cloud is breaking ground in audience interaction, leveraging theCUBEai.com neural network to help technology companies make data-driven decisions and stay at the forefront of industry conversations.
