Authenticity of Web pages comes under attack

— -- The keepers of the Internet have become acutely concerned about the Web's core trustworthiness.

Hackers cracked three companies that work with the most popular Web browsers to ensure the authenticity of Web pages where consumers type in sensitive information, such as account log-ons, credit card numbers and personal data.

The hacked firms are among more than 650 digital certificate authorities, or CAs, worldwide that ensure that Web pages are the real deal when served up by Microsoft's Internet Explorer, Firefox, Opera, Apple's Safari and Google's Chrome.

But a hacker gained access to digital certificate supplier DigiNotar this summer and began issuing forged digital certificates for hundreds of Web pages published by dozens of marquee companies.

Unable to cope with the fallout, the Dutch firm last week filed for bankruptcy under Dutch law and abruptly closed up shop. Two other digital certificate companies — New Jersey-based Comodo and Japanese-owned GlobalSign — were similarly hacked in the summer, exposing a glaring weakness in the Internet's underpinnings, security analysts say.

"The infrastructure baked into the Internet, which is based on trust, is starting to fall apart," says Michael Sutton, research vice president at security firm Zscaler. "If somebody can issue faked digital certificates, it throws the entire process into chaos."

Digital certificates enable consumers to submit information that travels through an encrypted connection between the user's Web browser and a website server. The certificate ensures the Web page can be trusted as authentic. But the unprecedented attacks against CAs show how fragile that trust can be.

The counterfeiter that gained a foothold deep inside of DigiNotar's system issued valid certificates for 531 fake pages, impersonating online properties of Google, Microsoft, Skype, Equifax, Twitter, Facebook, and the CIA, among others, according to consulting firm Fox-IT.

This touched off a scramble to cut off the fake pages. But the successful hacks demonstrated that it is possible to "impersonate any site on the Internet," says Josh Shaul, chief technical officer at security firm AppSec.

No banks or payment service websites were targeted, says Mikko Hypponen, chief researcher at anti-virus firm F-Secure.

The hacker seems much more interested in harvesting personal data from e-mail services, social networks, credit bureaus, blogging sites and anonymity services. The possible end game: espionage or political gain.

According to the Fox-IT report, the DigiNotar hacker issued counterfeit digital certificates for Web pages on google.com, android.com, microsoft.com, update.microsoft.com, login.live.com, login.yahoo.com, aol.com, wordpress.com, twitter.com, facebook.com, equifax.com and cia.gov, among other Web domains.

The forged Google Web pages were used to spy on some 300,000 Internet users in Iran. "I'm most concerned about disruption as a motive," says Roel Schouwenberg, senior researcher at Kaspersky Lab. "I'm talking about cyberwar, but even more so about hacktivism."

Google spokesman Jay Nancarrow noted that Google's Chrome browser detected one of the fake certificates "that ultimately led to the revelation of the DigiNotar compromise."

The pressure is now on CAs worldwide to make themselves more hack-proof. And for the browser makers to do more to identify and quickly eradicate counterfeit certificates and fake Web pages, security experts say.

Symantec senior director Michael Lin says the current system can be salvaged. "Consumers need to be able to interact with websites with confidence," says Lin.

Jeff Hudson, CEO of digital certificate management firm Venafi, cautions that the hacks that unfolded this summer are just the beginning. "This is a huge issue with significant ramifications to business productivity and company brand," says Hudson. "No one knows where the next breach will occur, or whether it will occur in a week or three months."

Microsoft, maker of the world's most widely used Web browser, Internet Explorer, declined to comment, as did Apple, maker of the Safari browser.

However, spokesmen for Mozilla, maker of the No. 2 Firefox browser, and Opera, a browser used widely in Europe and on cellphones, noted that steps are being taken to shore up the current system.

"The security of the Web is our collective responsibility," says Johnathan Nightingale, Mozilla's director of Firefox engineering. "To improve it, we need a continuing, and open, dialog supported by focused action."