A chain is only as strong as it’s weakest link.

That little padlock in the corner of your browser lost a little of it’s security yesterday. It shows that you’re talking to a web site via a secure, encrypted connection and that you’re really talking to who you think you are rather than someone nasty intercepting your username, password and credit card details.

Except that someone has broken in to a reseller account from certificate authority Comodo and generated certificates for several sites, including Google, Yahoo and Skype. And the fake Yahoo one has already been used on the internet, presumably to steal login credentials.

These aren’t fake certificates, so there is no way for your browser to know they don’t really belong to who they say they are. It’s akin to someone stealing the machine used to print money or driving licences and running off some fake ones. Luckily, in this case we know (Or hope we know) the serial numbers of the fake certificates so web browsers have already had patches released to keep an eye out for them, but it’s still illustrated a weakness in the system and it’s not clear how much data has yet been stolen as a result of this attack.

It’s possible the Certificate Authorities won’t be around for that much longer anyway, as a new technology (DNSSEC) could be used to give web site hosts a different way of ensuring their sites are secure and will mean we no longer have to pay a third party to prove to others – or fail to prove, in this case – who we are.

The attack came from Iran, although that doesn’t necessarily mean the attacker was in Iran – it could just as easily been a machine controlled by someone from Russia, North Korea or Peckham, London.

As some will know, it’s been reported today that RSA SecurID have been compromised in undisclosed ways. I don’t use them as I prefer the open-standard Feitian tokens via Gooze, but even then if Feitian or Gooze were compromised, the Bad Guys would know which tokens I had. (Even if they did not know what systems they were each for – I believe that to avoid this, Gooze at least destroy the keys after sending them to you)

I think Cryptocard provide the ability to reprogram tokens, but I do not have any myself and I believe it’s a commercial rather than open-standards system.

So, does anyone know of a source of reprogrammable open standard security tokens so that I am the only one that knows the secret keys? If not, anyone fancy designing and selling some?