Headline FeedsTechNewsWorld Talkback
|
|
Re: Malware Munches on Mitsubishi, and Certificates Can Lie
Posted by: Richard Adhikari 2011-09-21 07:57:43
See Full Story
In the wake of repeated hacker attacks on defense contractors in the United States comes news that the systems of Mitsubishi Heavy Industries, Japan's biggest defense contractor, have been breached. Mitsubishi's submarine, missile and nuclear power plant component factories were reportedly targeted by the attackers. Meanwhile, the security community is warning that digital certificates can't be trusted following the revelation earlier this month that Dutch certificate authority DigiNotar had several certificates compromised.
What exactly is insecure with PKI?
Posted by: jafcobend 2011-09-21 08:21:13 In reply to: Richard Adhikari
Since I don't have much room I'll have to be brief:
From the article I wasn't clear on what you were proposing the weakness in PKI was. From what I've read here and elsewhere it seems that the problem is in key access control, the security of the signing facilities and time required to revoke compromised keys. For things like web certs vetting of the applicant is also critical. But nothing actually wrong with the PKI mechanism itself.
I use PKI to allow access to VPNs. But I usually keep the signing computer on a separate network or disconnected, using sneaker-net to get certs signed. The root signing key has to be guarded like Fort Knox!
From the article I wasn't clear on what you were proposing the weakness in PKI was. From what I've read here and elsewhere it seems that the problem is in key access control, the security of the signing facilities and time required to revoke compromised keys. For things like web certs vetting of the applicant is also critical. But nothing actually wrong with the PKI mechanism itself.
I use PKI to allow access to VPNs. But I usually keep the signing computer on a separate network or disconnected, using sneaker-net to get certs signed. The root signing key has to be guarded like Fort Knox!
