alt.embedded

What Developers Need To Know About Compromised Security

Unless you hang around the security sites you may have missed the problem where an SSL Registration Authority (RA) associated with Comodo was compromised (see Recent RA Compromise). The attacker obtained the username and password of a Comodo Trusted Partner in Southern Europe to gain access to digital certificates that let them generate SSL certificates for some of Comodo's customers allowing a third party set up a secure website that would masquerade as a valid website. Combine this site with phishing emails and other fraudulent attacks and it is easy to see that this breach can have a significant affect on users and companies.

Comodo's root key were not compromised because the affiliate did not have these. They had signing certificates created using this key. The fraudulent SSL certificates were for domains from the likes of Google.com, Skype.com and Yahoo.com.

Browser developers are already aware of this security hierarchy where digital certificates for signing are signed by a higher authority. Revocation of a certificate is handled by a revocation list that is often updated when a browser is updated. SSL is the usual communication security mechanism employed by browsers and for browser-based applications that are becoming more common. This includes browser-based applications on smartphones and tablets.

Application developers building embedded devices need to know about the browser issues but they also need to know that this issue is not restricted to browsers. SSL VPNs are often utilized to secure communication between device. The SSL issue mention is equally applicable to SSL VPNs. This means that an embedded application needs to handle certificate revocation. Likewise, those in charge of deployment need to know how important the signing certificates are.

Many vendors will employ applications that will used self-signed certificates essentially being their own RA. This is very reasonable but developers need to remember that these certifcates need to be secured. Likewise, a company with multiple products may want to have a more complex signing system. It definitely should provide a revocation mechanism.

This episode also highlights why a hierarchical security system should be employed in embedded devices. For example, if a secure SSL VPN is used to download a firmware update then it would be a good idea to also digitally sign the firmware using a different key. This means that an attacker would have to compromise two keys, not one.

The layered, need-to-know approach is embodied in operating systems like Security-Enhanced Linux. Green Hills Software's Integrity (see Hypervisor Gets Secure) and Lynuxworks' LynxSecure (see MILS, MSL, MLS: Figuring Out All Those Secure Acronyms) provide an isolation approach using virtualization hardware. These platforms can help keep a system secure but if outside communication is compromised even these platforms can do little more than isolate the problem.

Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish