Authenticity of Web pages comes under attack

ByABC News
September 29, 2011, 12:53 AM

— -- The keepers of the Internet have become acutely concerned about the Web's core trustworthiness.

Hackers cracked three companies that work with the most popular Web browsers to ensure the authenticity of Web pages where consumers type in sensitive information, such as account log-ons, credit card numbers and personal data.

The hacked firms are among more than 650 digital certificate authorities, or CAs, worldwide that ensure that Web pages are the real deal when served up by Microsoft's Internet Explorer, Firefox, Opera, Apple's Safari and Google's Chrome.

But a hacker gained access to digital certificate supplier DigiNotar this summer and began issuing forged digital certificates for hundreds of Web pages published by dozens of marquee companies.

Unable to cope with the fallout, the Dutch firm last week filed for bankruptcy under Dutch law and abruptly closed up shop. Two other digital certificate companies — New Jersey-based Comodo and Japanese-owned GlobalSign — were similarly hacked in the summer, exposing a glaring weakness in the Internet's underpinnings, security analysts say.

"The infrastructure baked into the Internet, which is based on trust, is starting to fall apart," says Michael Sutton, research vice president at security firm Zscaler. "If somebody can issue faked digital certificates, it throws the entire process into chaos."

Digital certificates enable consumers to submit information that travels through an encrypted connection between the user's Web browser and a website server. The certificate ensures the Web page can be trusted as authentic. But the unprecedented attacks against CAs show how fragile that trust can be.

The counterfeiter that gained a foothold deep inside of DigiNotar's system issued valid certificates for 531 fake pages, impersonating online properties of Google, Microsoft, Skype, Equifax, Twitter, Facebook, and the CIA, among others, according to consulting firm Fox-IT.

This touched off a scramble to cut off the fake pages. But the successful hacks demonstrated that it is possible to "impersonate any site on the Internet," says Josh Shaul, chief technical officer at security firm AppSec.

No banks or payment service websites were targeted, says Mikko Hypponen, chief researcher at anti-virus firm F-Secure.

The hacker seems much more interested in harvesting personal data from e-mail services, social networks, credit bureaus, blogging sites and anonymity services. The possible end game: espionage or political gain.

According to the Fox-IT report, the DigiNotar hacker issued counterfeit digital certificates for Web pages on google.com, android.com, microsoft.com, update.microsoft.com, login.live.com, login.yahoo.com, aol.com, wordpress.com, twitter.com, facebook.com, equifax.com and cia.gov, among other Web domains.

The forged Google Web pages were used to spy on some 300,000 Internet users in Iran. "I'm most concerned about disruption as a motive," says Roel Schouwenberg, senior researcher at Kaspersky Lab. "I'm talking about cyberwar, but even more so about hacktivism."

Google spokesman Jay Nancarrow noted that Google's Chrome browser detected one of the fake certificates "that ultimately led to the revelation of the DigiNotar compromise."