XML Repository

Web browsers need to upgrade security to prevent further violation of attack similar to Comodo

by Sir on June 26, 2011

After missing last month that allows an attacker to impersonate sites like Google.com, Yahoo.com, and Skype.com, the major browser makers have begun to review how to handle Web authentication. The efforts are designed to remedy the defects in the safety of strange Web is currently managed.

On Friday, Ben Laurie, a member of Google’s security team, said the Mountain View, California, the company is “thinking” on ways to update Chrome to highlight potentially fraudulent certificates “should be treated with suspicion. ” Comodo breach last month could have been avoided if the technology is widely adopted and pasted into all major browsers. The Jersey City, NJ-based company announced March 23 that an intruder can be traced back to Iran threaten the dealer network and obtain fraudulent certificates for major Web sites, including those operated by Google and Microsoft.

Google Chrome is a web browser developed by Google using the WebKit rendering engine. It was first released as a beta version of Microsoft Windows. The name is derived from the framework of the graphical user interface, or “chrome”, of web browsers. In January 2011, Chrome was the third most used browser, and approved the participation of 10% of worldwide use of web browsers, according to Net Applications. Comodo alerted those responsible for the web browser, who immediately rushed to devise ways to revoke the fraudulent certificates. There is no evidence that the certificates were misused.

Peter Eckersley, a qualified senior staff to the Electronic Frontier Foundation, who has compiled a database of certificates of public Web, says that one way to improve security is to allow each site to announce what the provider certificate you are using. Each browser trusts to 321 certification bodies alike, a security nightmare that allows them to publish any false certificate, for example, Google.com. It’s as if hundreds of superintendents in the city of New York had the master key to all units in each condo – unlike the normal practice of the master key for each superintendent.

Eckersley says browsers should be to develop “a way for each holder of a domain name to persistently specify your own private certificate authority if you want. “Once established,” errors in any of the thousands of other organizations and not to give hackers a magic key to their systems, “he says.

Secure domain names with a technology called DNSSEC also play a “big” paper says. The domain name system security extensions (DNSSEC) is a suite of Internet Engineering Task Force (IETF) to ensure the specifications for certain types of information provided by the Domain Name System (DNS) used in the Protocol Internet (IP). This is a set of extensions to DNS which provide to DNS clients (resolvers) origin authentication of DNS data, denial of authentic existence and integrity of data, but no availability or confidentiality.

Comodo revelations have highlighted the shortcomings of the current system. There is no automated process to revoke the fraudulent certificates. There is no public list of companies like Comodo certificates have been issued, or even that of their distributors or partners have a duplicate of the master keys. There are no mechanisms to prevent fraudulent certificates of Yahoo Mail or Gmail to be issued by companies involved, or repressive regimes bent on surveillance, some of which have their own certificate authorities.

Identify gaps and ensure web security would not be an easy task if not executed by highly trained security professionals the information. Organizations need to implement robust Internet security initiatives, including hiring experts highly trained security information to prevent security breaches. Professional information security can increase their knowledge and skills of information security to embark on highly technical training programs and advanced. EC-Council has launched the Center for Advanced Security Training (CAST), to address the lack of highly trained security professionals with technical information.