UPDATED 13:10 EST / MARCH 24 2011

Comodo Compromise Demonstrates Need for DNSSec Migration

Comodo, a company you probably never heard of which holds one of the many master keys to the Internet’s SSL X.509 Public Key Infrastructure (PKI) system, admitted that their root certificate authorities have been compromised by attackers.  Those attackers issued themselves SSL certificates for seven companies including Google, Skype, and Yahoo so they can fully masquerade as one of the seven companies with legitimate looking SSL certificates.  Comodo responded by revoking those certificates, but that won’t offer full protection until every device on the planet replicates the revocations and we have only Comodo’s word that more certificates haven’t been compromised.

This attack highlights a much more fundamental problem with X.509.  A lot of large companies will say “oh but we use more reputable certificate authorities for SSL”, but it doesn’t matter because the fundamental weakness of X.509 allows any one of the many certificate authorities to compromise the entire SSL PKI system.  Any nation (including rogue states) have access to the master keys.  Anyone willing to spend around $40,000 can simply buy themselves access to a root certificate (essentially a “master key”) that would allow them to create any SSL certificate they desire.  Although the terms of the root certification signing authority contractually forbid buyers from abusing their root certificate, it’s a useless trust based on the honor system.

DNSSEC is a new secure Domain Name System (DNS) that also has the ability to replace the fundamentally weak X.509 PKI system.  DNSSEC security is vastly more secure because of the following design features.

  • Only the DNSSEC roots have master keys.  By comparison, there are dozens of root authorities for X.509 and anyone with $40K or anyone who compromises one of the many root authorities have access to the master key.
  • Each DNSSEC root doesn’t have a full master key.  The .com root can’t sign for the .ca or .cn root.
  • DNSSEC delegates limited signing authority to each domain owner.  Each domain owner can sign their own certificates for their own servers and users, but they can only sign it for their own domain which eliminates the threat of signing abuse present with X.509.
  • Domain owners don’t need to pay hundreds of dollars for each server or user certificate like the current X.509 racket.  Not only does this save money, it removes barriers for the adoption of secure communications.

[Cross-posted at Digital Society]

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU