A Cracked Cornerstone of Net Security

Digital certificates are meant to signal trustworthiness. A recent forgery undermines that trust -- and demands fast repair work

By Stephen H. Wildstrom

If you've spent any time browsing the Web, you've almost certainly clicked on a link offering to download some bit of software to enhance your viewing experience. And if you accepted the offer, before the download began, you saw a screen, designed to look a bit like a stock certificate, that assured you the software you were about to download was a product of Microsoft Corp. or some other reputable vendor.

Not so fast. Back in January, someone pretending to be a Microsoft representative persuaded VeriSign Inc., the leading provider of these "digital certificates," to issue two new ones. The breach went unnoticed for more than a month before VeriSign discovered its error and electronically revoked the certificates (www.verisign.com/developer/notice/authenticode/).


  The good news is there's no evidence the phony certificates were used to trick consumers into downloading malicious software. But the ease with which an impostor could obtain a high-level certificate calls into question one of the major pillars of security for electronic commerce.

A digital certificate is nothing more than a bit of encrypted text. When your computer receives one, it checks with the agency, called a "certificate authority," that issued it. If everything checks out after an exchange of decryption keys, you should have assurance that the certificate could have been presented only by the company or person whose name is on it. The bogus Microsoft certificates were something like a perfectly forged passport that carries your name and my picture and allows me to assume your identity.

To obtain a first-time U.S. passport, you have to show up at the passport agency with positive identification and swear on pain of perjury that you are who you say you are. A Class 3 certificate, the sort issued to the bogus Microsoft, is supposed to require similarly rigorous identification. VeriSign documents say issuance of a Class 3 certificate requires independent assessment of the application and call-backs to assure the request is valid. The company hasn't said how these procedures broke down in the Microsoft case.


  When you make a purchase or manage a brokerage or bank account online using your browser's "secure" mode, a critical behind-the-scenes process requires the vendor's site to send your computer a certificate. Only after the software has verified the authenticity of the certificate -- ostensibly making sure the party at the other end of the transaction is what it claims to be -- will the transaction proceed. (For the technically minded, a detailed explanation of the process can be found at www.counterpane.com/ssl.html.)

The use of certificates to secure purchases is only part of the problem. Last year, Congress passed legislation making digital signatures as legal and binding as the conventional pen-and-ink variety for most transactions. And the key to digital signatures is digital certificates that assure the electronic signer is who he or she claims to be. Supporters argued during the legislative process that digital signatures were even better than print certificates because they couldn't be forged and couldn't be repudiated.

A few security experts, such as Bruce Schneier, chief technical officer of Counterpane Internet Security, argued this was errant nonsense because all it proved was that a document had been signed by someone in possession of a seemingly valid certificate. No one paid much attention at the time, but now the point is hard to ignore.


  Truth is, lax security practices are a far graver threat to electronic business than the burnout of a bunch of dot-coms. Consumers have been willing to buy online because they face little or no liability for fraudulent transactions. Merchants and financial institutions, however, can afford to do business only in an environment where the risks are predictable and manageable. The idea that things are under control is taking a beating from incidents such as the phony Microsoft certificates and the recent warning from the FBI's National Infrastructure Protection Center (www.nipc.gov/warnings/advisories/2001/01-003.htm) that hackers were exploiting well-known security holes to steal personal information from Web sites.

If electronic business is to prosper and truly move into the mainstream of commerce, everyone involved -- merchants, financial institutions, software vendors, and security suppliers such as VeriSign -- has to make security a top priority, starting right now. Security is very hard to get right under the best of circumstances and just about impossible when it isn't the focus of attention. If the industry doesn't get this right -- and fast -- it's setting the stage for a catastrophic loss of confidence.

Wildstrom is Technology & You columnist for BusinessWeek

Edited by Douglas Harbrecht

Before it's here, it's on the Bloomberg Terminal.