Description: The encryption used by many websites to prevent eavesdropping on their interactions with visitors is not very secure. This technology is in use when Web addresses start with “https” (in which “s” stands for secure) and a closed lock icon appears on Web browsers.
Source: Globe&Mail
Date: April 7, 2011
The Electronic Frontier Foundation, an online civil liberties group, has explored the Internet in an attempt to map this nebulous system. As of December, 676 organizations were signing certificates, it found. Other security experts suspect that the scan missed many and that the number is much higher.
Making matters worse, entities that issue certificates, though required to seek authorization from site owners, can technically issue certificates for any website. This means that governments that control certificate authorities and hackers who break into their systems can issue certificates for any site at will.
Experts say that both the certificate system and the technology it employs have long been in need of an overhaul, but that the technology industry has not been able to muster the will to do it. “It hasn’t been perceived to be a big enough problem that needs to be fixed,” said Stephen Schultze, associate director of the Center for Information Technology Policy at Princeton. “This is a wake-up call. This is a small leak that is evidence of a much more fundamental structural problem.” Read rest of story
Questions for discussion:
- What are the advantages of using certificates to authenticate web tranactions?
- What are the risksof using certificates to authenticate web tranactions?