Tuesday, October 18, 2011

Not news, but worth emphasising: SSL certificate authorities can be compromised

I can't actually spot the piece of news in this "news" item by the BBC. However, the general point of the article still stands as a universal truth: our secure web communications generally depend, and always have depended, on the assumption that certificate authorities are not compromised. They also depend among other things on the assumption that client machines' certificate stores, software and operating systems are not compromised and don't have bugs. People do sometimes forget this and take the little padlock icon in their web browser as some kind of "guarantee"; it's worth reminding ourselves from time to time that SSL offers a degree of confidence that a communication is secure, but no absolute guarantee.

However, I repeat that this isn't really a piece of news to have come to light on 18 October 2011; it has been universally true since the inception of the secure web communications protocols that we so readily rely on.

No comments: