A chain is only as strong as it’s weakest link.
That little padlock in the corner of your browser lost a little of it’s security yesterday. It shows that you’re talking to a web site via a secure, encrypted connection and that you’re really talking to who you think you are rather than someone nasty intercepting your username, password and credit card details.
Except that someone has broken in to a reseller account from certificate authority Comodo and generated certificates for several sites, including Google, Yahoo and Skype. And the fake Yahoo one has already been used on the internet, presumably to steal login credentials.
These aren’t fake certificates, so there is no way for your browser to know they don’t really belong to who they say they are. It’s akin to someone stealing the machine used to print money or driving licences and running off some fake ones. Luckily, in this case we know (Or hope we know) the serial numbers of the fake certificates so web browsers have already had patches released to keep an eye out for them, but it’s still illustrated a weakness in the system and it’s not clear how much data has yet been stolen as a result of this attack.
It’s possible the Certificate Authorities won’t be around for that much longer anyway, as a new technology (DNSSEC) could be used to give web site hosts a different way of ensuring their sites are secure and will mean we no longer have to pay a third party to prove to others – or fail to prove, in this case – who we are.
The attack came from Iran, although that doesn’t necessarily mean the attacker was in Iran – it could just as easily been a machine controlled by someone from Russia, North Korea or Peckham, London.