I have a lot of friends in the real estate industry, and two of the most common sales tactics are to create “curb appeal,” and to “stage” the interior of the residence being sold. Curb appeal, of course, refers to making the home looks as appealing as possible upon first impression. Update the landscaping. Add flowers. Make sure the lawn is well maintained. Maybe add a coat of fresh paint. You get the idea. And on the inside, remove everything that made the house a home, and bring in a professional interior designer to “stage” the place by painting, enhancing lighting, bringing in rental furniture etc. – essentially, transitioning the abode to a “model home” that is highly pleasing to the eye.
If the house is in need of better wiring, updated plumbing, new home heating/cooling – Hell, if the foundation is crumbling, it doesn’t matter. The goal is to make the prospective buyer feel good about the property and envision living in this “beautiful” residence.
Putting “lipstick on the real estate pig” works. Professionals will tell you that creating curb appeal and a well-staged home will sell faster, and for more money than a comparable house whose agent/seller does not adopt these tactics.
We have a similar situation occurring in the world of cybersecurity, particularly in the emerging world of IoT. We have a “Digital Pig” that is part of our everyday connected existence, and layers of brightly colored lipstick are being slapped on this porker every single day. I’m referring to PKI – a system for the creation, storage and distribution of digital certificates which are used to verify that a particular public key belongs to a certain entity. To be clear, it’s the elaborate PKI needed to support the certificates that’s the problem. And the sad reality is if certificate issuance and key exchange is involved, the cyber security solution is doomed from the start.
We’re talking PIG KI.
Why is that?
It’s because the entire certificate industry has been so badly compromised by fake, flawed, highly-vulnerable self-signed and un-revoked certificates, that it is beyond repair. It’s not like issuing new certificates and adding greater capabilities in certificate management or better cyber intrusion detection can eliminate the problem. The Digital Pig is insidethe connected-world barn, and closing the doors after it’s already pervasively entrenched in our cyber spaces just won’t work. And this isn’t just my opinion. According to a Sept 2016 article posted by the EU Agency for Network and Information Security (ENISA), “Certificate Authorities are the weak link of Internet Security.”
Symantec knows it. It finally gave up on the certificate issuance game, selling its website security business to DigiTrust after Google and Mozilla began a process of distrust in its TLS certificates.
But how bad can things be, really? The situation is well beyond bad – it’s horrifying. According to Netcraft a whopping 95% of HTTPS servers are vulnerable to Man-in-the-Middle attacks. How is that possible? Well, for sure human error and technical incompetence is part of the problem. But that’s never going away. The real problem is that the reliance on certificates. Flawed, broken, faked certificates.
Certificates: Impossible to Kill
Of the certificates already in use, the Ponemon Institute reports that 54% of organizations do not know how many certificates are in use within their infrastructures, where they are located or how they are used – and they have no idea how many of these unknown assets are self-signed (open source) or signed by a Certificate Authority.
Netcraft’s Mutton writes, “ killing bad certs is difficult…it is not unusual to see browser vendors making whole new releases in order to ensure that the compromised – or fraudulent – certs are no longer trusted…it could remain trusted…for months or years.”
I’ll argue that certificates, being the root of the problem, have to be eliminated. The recent discovery of the ROCA and ROBOT attack highlights the serious vulnerability of the extant implementations of the RSA algorithm and that RSA itself ought to be deprecated.
What’s the solution? Kill the PIG! Start with the premise that cybercriminals can’t get in the middle of communication protocols that don’t exist.