Outdated Security Threatens Web Commerce
By John Markoff December 30, 2008, 10:15 am
UPDATED 11:48 a.m.: Added more information about a 2001 certificate problem that involved Microsoft.
A team of United States and European computer security researchers have used a cluster of several hundred Sony PlayStation 3 video-game machines to exploit a basic weakness in the software system used to protect commercial transactions made via the Internet.
The attack is possible because a handful of commercial organizations that provide components of the basic security infrastructure of the Internet are using an older security technology - despite years of warnings that it is now potentially obsolete. The flaw would make it possible for a criminal to redirect a Web surfer to a fake bank or online merchant without being detected by the security mechanism embedded in today's Web browsers. It could also be used to subvert e-mail communications and other applications that use cryptographic software for authentication and security.
The demonstration underscores that the commercial infrastructure of the Internet, as well as its privacy and security, are based on an advanced branch of mathematics that in the future may become vulnerable to more powerful computing systems and more clever attackers.
Today's browsers display a tiny image of a padlock when a user has a secure connection to a Web site. This is intended to provide evidence that the Web site is legitimate, as the browser and the site exchange digital certificates provided by a certificate authority - a trusted third party.
Researchers have proved they can create fake certificates that will be accepted by the security system.